|
October 03, 2008
URL:http://www.drdobbs.com/security/googling-security-mapping-directions-and/210605629
Editor's Note: This article is based on Googling Security: How Much Does Google Know About You?, by Greg Conti. Greg is an Assistant Professor of Computer Science at the U.S. Military Academy in West Point, New York. Courtesy of Addison-Wesley Professional, All Rights Reserved.
Before the dawn of online mapping and imagery services, we were forced to use printed books, such as the National Geographic Atlas of the World, to view the world, and the Rand McNally Road Atlas, to navigate unfamiliar locations.We shared directions to our homes via verbal instructions over the phone or written notes. Businesses distributed directions and small maps in paper brochures via the postal system and in brochure racks. High-resolution satellite imagery was available to a select few governments and largely unavailable to the masses. As a result, your interest in parts of the world, places you wanted to visit, and how you got there was largely a personal matter. Have times changed.
Free online mapping services include offerings by Google, AOL, Yahoo!, and many more. Each of these services allows you to view maps overlaid upon satellite1 imagery and is tightly integrated with tools that give precise directions to desired locations. Wildly popular, AOL's MapQuest currently enjoys the largest share, with 53.9 million users per month, followed by Yahoo! Maps with 29.6 million and Google Maps with 28.9 million. Over time, hundreds of millions of users utilize these services to find directions to points of interest, including homes of friends, businesses, and travel destinations. These mapping tools have enriched lives by helping people navigate from place to place and explore the planet. Unanticipated uses have shown that these services have the power to do great good, including raising awareness of the crisis in the Darfur region of the Sudan, assisting rescue efforts and damage assessment following Hurricane Katrina, and monitoring the impact of Appalachian coal mining on nearby ecosystems. Google admirably encourages the use of its Google Earth tool to help build support for such worthy causes. The future holds great potential in utilizing these tools to help build communities and facilitate citizen journalism.
So what is the harm in using these services? Well, it turns out, a lot. You face significant risks from both your use of these services and the content they contain. This article analyzes the information you disclose when using mapping and imagery services, including how your use of these tools discloses locations of your home, employer, family and friends, travel plans, and strategic intentions, and discusses how data mining can easily link seemingly disparate groups of people based on their interest in common locations. It also covers the risks inherent in the content itself, including camera-equipped cars capturing continuous streams of high-quality street-level photographs, collaborative analysis of satellite imagery, and your inability to trust the veracity of the images themselves.
Location, location, location. This is most important information you disclose when you use online mapping and imagery services. Ask yourself the following questions the next time you consider using Google Maps or Google Earth:
Beyond simple locations, you are revealing a great deal of additional information through your interactions, including the following:
It is possible to use your IP address to identify the probable location of your computer. So when using mapping and imagery tools, not only are you disclosing areas of personal interest, but this information also can be paired with your actual location based on IP geolocation.
The primary way of interacting with the mapping interface involves dragging the image with the mouse and using the zoom slider. Even these simple interactions reveal a lot. Imagine all the points you've zoomed in on using Google Maps. The sum total would be enlightening indeed. The set probably includes your hometown, previous homes, family members' homes, travel destinations, and your employer. If you revisit the same locations frequently, you are helping to identify their value to you.
Consider a real estate shopping example. Figure 1 depicts housing subdivisions in Las Vegas, Nevada. For this example, let's assume that you viewed the homes in the squares (at maximum zoom) every few days. At the same time, you conducted a large number of searches on "Las Vegas Real Estate."After two weeks of such activity, you zoom in on the home in the topmost square and click the Google Maps Link to This Page command. After e-mailing this link to your friends and family, they all click the link and view the home you intend to purchase.
In actuality, your use of online mapping and imagery services is far more complex than this simple real estate example. You create a constantly lengthening trail of interaction data, including zoom level, size of the map, time and date, mapping location, and your IP address each time your browser requests updated information from the server. The following are examples of interaction data I collected while panning and zooming during a short Google Maps session. During the course of several minutes,my computer made more than 600 similar requests. Each URL resolves to a small graphical tile of the map.
http://mt1.google.com/mt?n=404&v=w2t.75&hl=en&x=9467&s=&y=12151&zoom=2&s= http://mt0.google.com/mt?n=404&v=w2.75&hl=en&x=1180&y=1518&zoom=5&s=Ga http://mt2.google.com/mt?n=404&v=w2.75&hl=en&x=1180&y=1517&zoom=5&s=G
Note that online mapping and imagery services are complex applications that will evolve over time and process data differently. In this case,my browser made a significant number of mapping data requests as I interacted with the system, but the size, resolutions, and frequency of interaction disclosures will vary from system to system. In other words, some systems will make frequent small requests for additional map data as the user zooms and moves about the map, while others will make less frequent but larger requests. In some cases, mapping and imagery systems will prefetch information in anticipation of a user's upcoming actions, without any direct interaction on the user's part.
In addition, by clicking options such as Print, E-mail, Link To This Page, or Save, you are helping to identify your intentions and importance of the given map. For example, when you create a link to a given location and share it with others, you create a connection between each individual the moment they open the e-mail and click the link. Similarly, when you click the Print command (see Figure2), you create a strong indicator that you value the current map state enough to print a copy. From these combined streams of data, data-mining applications could detect and classify many types of activity you would prefer to keep private.
Using Google Maps involves more than simply interacting with the display to locate areas of interest, or even printing, saving, or sharing maps. You can also search the map and jump immediately to addresses, zip codes, businesses, and cities of interest. Figure 3 shows a Google Maps search for "pizza in Poughkeepsie," the sample entry suggested on the Google Maps web page.
So what are the risks of combining search and mapping? Well, by doing so, you are combining the disclosure risks of search with specific geographic locations and the interaction revelations described in the previous section. For example, by clicking one of the results in the search pane on the left side of the display, you can bring up specific details about one of the locations marked on the map. However, you are also disclosing -- and, hence, strengthening -- the link between the search you performed and what you deemed as important in the results. Say you were searching on a specific person and returned a number of results. By clicking on the link corresponding to the specific individual you were interested in, you've yielded a clue to the most relevant result.
Enticed by such slogans as "Make Google Maps your maps," many users have personalized their maps. Google Maps supports the creation and sharing of personalized, annotated maps. Annotation includes marking favorite places and drawing lines and shapes to highlight paths and areas, as well as adding text, photos, and videos. Unfortunately, the more you personalize your maps, the more information you disclose. The potential disclosure risks are quite significant. Users have almost an unlimited ability to share sensitive information and tie it to specific locations on the map. Some users will likely add personal or sensitive locations, such as their friends' home addresses or facilities at their place of employment. Such disclosure could provide the information required to link disparate profiles contained in an online company's databases. Recall that Google possesses extensive address databases for individuals and business, which enables them to create many additional linkages. In short, personalization functions, almost by definition, help compromise your anonymity.Many personalization functions in Google Maps require you to log in using a Google account, uniquely identifying your activity.
When using mapping and imagery services, you provide another vehicle to tie together individuals and organizations. As I mentioned at the start of this article, using mapping and imagery applications discloses locations you are interested in, but now consider that you can be linked with other people who are also interested in the same or similar locations. A great example is that of your parent's home. Chances are, you have looked at it using Google Maps. I'll bet your siblings have done the same. Now ask yourself how many other people have zoomed in to that exact same location.My guess is, not many. Bingo, a unique characteristic shared by you and your family.
Now consider your company. Let's say that it has 1,200 employees located at 10 locations, some not publicly known. Imagine mapping activity from the IP address ranges used by your corporate headquarters, as well as the other locations, all seeking directions from Ministro Pistarini International Airport in Buenos Aires to the street address of a meeting site at the outskirts of the city. Because this activity is out of the norm, you've just created a unique set of characteristics that ties together your various company offices with a potentially sensitive meeting. You've also disclosed, with a high probability, the travel plans of the meeting participants, as well as given a clue to the strategic importance of Argentina to your company's planning.
Using online services that provide directions reveals sensitive information. Typically, you enter a starting point and a destination, often using precise street addresses. As discussed in the preceding section, these addresses provide a very powerful means to tie together disparate individuals. The more specific and rarely used the addresses, the higher the possibility of creating a useful link between the two. Using direction-giving services (see Figure 4), you are also giving away your probable route of travel. By clicking the Print option, you indicate that you will probably be traveling the route in the near future. Similarly, if you used the e-mail or Link To This Page options, you've then linked yourself with a group of individuals who will likely be traveling over the same route after they click the link.
Now imagine all the directions that your employees have generated using your company headquarters as a starting location and leading to destinations throughout the surrounding area (see Figure 5).You may be giving away the commuting routes of your employees, the locations of their homes, their lunch meeting venues, and perhaps even your company's strategic intentions. Similar searches could identify the home IP addresses of these employees, as well as many visitors to your company. Finally, if cookies were enabled on these machines, all of their online activities with a company such as Google could be tied together despite movement around the world. This is a security risk indeed.
If you consider all such requests to your corporate headquarters, such tools represent a significant disclosure threat, particularly over long periods of time.
At the time of this writing, there are 50,000 Google mashups. Mashups are a powerful innovation that enables users to plot virtually any sort of information with a geographic component on top of Google Maps. As one blogger elegantly put it,"Now information on the web does not need to bind to just what and how. Your piece of information can also represent where." Google Maps mashups have exploded in popularity and have been used for everything from locating street light cameras and inexpensive gas to identifying where UFOs have been sited (see Figure 6). However, mashups combine the general sensitivity of using mapping services with two other important disclosures. The first is your interest in a given subject, such as evading red light cameras. Second, mashups identify your visit to a given web site. Typically, an online company knows if you visit only one of its web sites. By embedding a map inside a third-party web page, Google can track your activity as you hop around such sites.
High-resolution satellite imagery was once the sole domain of intelligence agencies, but now high-quality imagery is available for free (think of the tools provided by Google, AOL, and Yahoo!).We've just looked at how our interactions with these services disclose sensitive information, but it is important to consider the content of these services, even if you never use them yourself. This class of threat is somewhat different, in that the content itself might be sensitive to those in the images, both from overhead and at street-level views. The advent of high-resolution overhead imagery being placed in the hands of the masses has dramatically changed the idea of physical security. Historically, national borders, fences, guards, and other safeguards have limited access to sensitive locations. Only nation-states had the capability to examine these locations, using, among other things, the relatively risk-free access provided by satellites and highaltitude aircraft, such as the U2. You couldn't merely hop onto Google Maps and zoom in for a detailed look. This level of easy access has changed the idea of security and privacy. John Young's Eyeballing Series at Cryptome.org and Eyeballseries. org demonstrates the power these tools give us. Young combines high-resolution satellite images with other publicly available information to create powerful analyses of such things as the residence of the Vice President of the United States, India's Bhabha Atomic Research Center, and the National Security Agency. Similarly, Alex and James Turnbull's Google Sightseeing site (www.googlesightseeing.com) highlights areas of interest found in Google imagery data. They have categorized images from around the Earth, including aircraft, bridges, buildings, movie locations, spacecraft, and even naked people.
Whereas Google Sightseeing depends on tips from Google sightseers around the world to find interesting spots,Wikimapia takes a different approach.Wikimapia allows web users to directly annotate Google imagery. These annotations, some 4.5 million, are then visible to the world. The concept is simple, cool, and useful, but the security risks are profound. Any user can annotate the maps, based on inside information, that would otherwise be impossible to detect via imagery alone. Figure 7 illustrates one such example. As you examine the figure, it is very unlikely that you could identify the structures at the center of the two large circles.Well, one Wikimapia kindly labeled these as "Jump Towers."With a little research, you will find that these towers are used to train paratroopers at the U.S. Army's Airborne School. The important lesson here is that it takes only one knucklehead to disclose something you or your company would have preferred to keep secret; with Wikimapia, or a similar tool, they can share it with the world.
Today imagery is gathered via satellites, manned aircraft, unmanned aircraft, and even cars instrumented with cameras (see the section "Street-Level View"). In the future, we will see imagery gathered from virtually any platform you can imagine, and you can expect the resolution of the images to increase significantly as sensor technology improves. It seems as if we are living in an ever-increasing surveillance grid.Virtually every modern cell phone has a built-in camera, and many phones also have embedded GPS. The combination of the two has led to the rise of geotagging, which is the embedding of geographic information in various forms of media. Sites such as flickr.com now allow easy publishing of geotagged images. (See Figure 8.) We also are seeing a significant increase in the number of government and commercially run surveillance cameras, such as the British traffic wardens who were issued head-mounted video cameras and the plans for creating a security veil of license plate readers and more than 3,000 public and private video cameras covering downtown New York City.
Imagery analysis is the art of analyzing images to extract useful information. Overhead imagery analysis has been practiced since 1858, when the first aerial image (of Paris) was taken by Gaspar Felix Tournachon from a balloon. Images were later captured from cameras carried by pigeons (1903), kites (1906), and compressed air rockets (1906).Wilbur Wright took the first photograph from an airplane in 1909 of Centrocelli, Italy. The intelligence value of overhead imagery did not go unnoticed by the military. Overhead images were collected during the U.S. Civil War,World War I, and World War II, but this increased in significance with the advent of satellite imagery. Corona was the United States' first photo reconnaissance system. It operated from August 1960 to May 1972 and was declassified in February 1995. During the 12-year program, it flew more than 100 missions and captured more than 800,000 images.25 The satellites in the Corona program were given the KH (KeyHole) designator from KH-1 to KH-6, with a maximum ground resolution (that is, for the smallest discernible object) of 6 feet.26.
Today Google Earth and Google Maps users enjoy significantly greater resolution with images collected using satellites and aircraft, opening up the art of imagery analysis to anyone with access to the Internet. These images, along with other information freely available on the World Wide Web, have magnified the sensitivity of the content of these online services. In the past, nations risked the lives of spies and service members to acquire what you now can simply download from your living room or office. Full coverage of the risk associated with overhead imagery is beyond the scope of this book; however, it is important to realize that although an untrained eye can detect sensitive information, an experienced imagery analyst can extract significantly more insight. Let's consider a few simple examples.
The first example is that of a humble parking lot. Google Maps has plentiful imagery of many cities with resolution capable of detecting relatively small objects, such as automobiles. Figure 9 shows an example of a shopping mall from Google Maps. Note that something as innocuous as a parking lot can reveal a great deal of information, such asvthe number of employees a company might have or whether the image was taken on a weekend or weekday.
If you've ever played a city building game, such as SimCity, you've carefully built a city by adding commercial, industrial, and residential zones, as well as transportation and public utilities. Similarly, you can analyze a city by deconstructing it layer by layer. See Table 1, which I've based on the menus of SimCity and other sources, for more detailed examples. A profound security risk arises from skilled analysis, and we can do little to protect against it, unless we want to install camouflage netting over our homes and businesses.
We face two major threats regarding online mapping and imagery: the sensitive information we disclose through our interactions with these services and the content itself. Our interactions reveal locations of interest and the time we were interested in them.We might reveal travel plans, confidential facilities, our homes, or other sensitive locations. Direction-providing services indicate specific destinations as well as the probable routes you will take. Social networks emerge as we share these locations via hyperlinks with our friends, families, coworkers, and readers of our blogs. Even apparently unrelated people can be linked because they examine or seek directions to similar locations. Table 2 summarizes the actions you might take when using mapping and imagery services and the types of information you can disclose.
The content itself also raises important security concerns. Your home, car, place of employment, perhaps even you, all probably exist in the terabytes of imagery data comprising Google Earth, Google Maps, StreetView, and similar services. In the future, we can safely assume that the number of sensors gathering information will increase.
Beyond static images, we will see video, perhaps combined with data from terrestrial sound sensors.We see early approaches now. The California-based company Wild Sanctuary has more than 3,500 hours of "soundscapes" and software that can layer relevant recorded sounds in Google Earth. AstroVision recently announced its plans to delive the "first live, continuous, true color image stream of Earth from space." We see only relatively sanitized data in publicly available systems. However, although it is likely occurring today, in the future it is easy to imagine multinational corporations sponsoring corporate overflights of locations of importance. Today we see powerful collaborative analysis of imagery through sites such as Google Sightseeing and Wikimapia, but in the future we can expect to see powerful automated processing augment these human-centric approaches. Advances in facial recognition, machine vision, data mining, and even automated lip-reading could one day be applied to global scale sensor data. Of more concern is that a future advance could be applied to all historical data. Even though a data-mining system cannot currently identify every face in Google's StreetView, a future system might well have this capability.
At their heart, mapping, directions, and imagery sites are about combining sensor data with other semantic information, such as highway traffic data, into a seamless, easy-to-use tool. I would like to suggest simple-to-implement countermeasures to help protect your privacy from surveillance sensors. Unfortunately, this genie is out of the bottle; unless we see major changes in privacy legislation, we need to seek new approaches to privacy and learn how to live in this environment. Currently, nation-states can use such extreme measures as anti-satellite missiles and armies can use battlefield deception and camouflage in an attempt to limit successful surveillance. Both of these are unrealistic to us average citizens. As one friend aptly put it, "I don't want to live in a place where I need to wear a ski mask to my local mall to protect my privacy."
Terms of Service | Privacy Statement | Copyright © 2024 UBM Tech, All rights reserved.