Hacker Newsnew | comments | show | ask | jobs | submit login
How taking pictures through windows can inadvertently reveal your location (ioactive.com)
161 points by sebkomianos 478 days ago | 67 comments



Isn't revealing your location the whole point of taking a picture from your hotel window and sharing it with the world on Twitter? I wouldn't be too surprised if I posted "I'm in Miami, and here's a view from my Hotel window" and someone was able to tell me the Hotel name and which side I was staying on. Infact, I'd be more surprised if someone couldn't!

The techniques used are not particularly ingenious here, especially as most of the photo's seem to depict some obvious landmarks to provide an easy point of reference, especially when given the extra information to focus on a specific location.

-----


Yep, pretty much. The article's neat, but isn't the point of the kind of pictures shown in this article to show where you are? I don't think you can call this "inadvertently".

This is a bit like checking in with Foursquare. If there's a security concern with showing it real-time and net-wide, then you just shouldn't.

Reminded me of this: https://pbs.twimg.com/media/Bm1gMRUCIAA8Y4E.jpg

-----


I think they point is that people would be surprised that you can relatively easily narrow down a vague picture to almost a floor / room number level.

I'm guessing some people may not be comfortable with that.

-----


he narrowed it down to like a 4 floor level. who cares? and pretty much none of that information came from the reflections, just the picture itself.

-----


You're not going to figure out the room number based on what lamp is in the room.

-----


Not from the lamp, from the geometry.

-----


Actually an interesting solution to the Foursquare check-in privacy issue that I've seen is people check in when they are leaving instead of arriving.

-----


This may be a dumb question, what is the value in checking in when leaving? I might not understand the point of foursquare, I thought the check-ins were used so people could meet up with friends who were in the area.

Are there rewards or incentives for checking in or is it for social prestige by being in the right places at the right time? Something else I'm not thinking of?

-----


When you check-in on arrival, that can cause two problems; one, people (whom you don't want to meet) can come to the location to find/meet/stalk/harass you; and two, people know that you're there and not somewhere else (so they know your car/house/office/dog is potentially unguarded).

You can use checkins (especially those of Instagram or Foursquare addicts) to determine someone's pattern; if they always go to Starbucks in the morning for a snack, then go for a run for 30 minutes, then hit the grocery store on the way back, you can figure you probably have 45 minutes to loot their house, search their stuff, etc. before they get back. If you've seen the inside of their house before, you might know that there are spare keys, or a rarely-used door that you can unlock, etc. which gives you more access to the house later, even if your timeframe is limited.

Etc. etc.

Anyway, checking in as you leave throws off that timetable. People can't come meet you (because you're already gone), and you won't tell people you're out of the house until later, cutting down on their window of opportunity.

-----


I understand the problems with checking-in as you go places. What I don't understand is the value in checking in as you leave. Why publish a check-in at all? What do users gain by checking-in?

-----


Assuming that someone is familiar with the location, of course. Also, many times people want to post the view, how many times are they tweeting their hotel and room addresses?

One could use these (and other) techniques to pinpoint your location from anywhere in the globe, without even setting foot in that location, perhaps not even the country.

Keep in mind that the poster "eyeballed" the floor height. With more work, it is possible that he could have figured out not only the floor, but which window the picture was taken from.

Also, nice call on reflections of safes and notebooks.

-----


But none of the information gained from the reflections were not obtainable in another way. In the first example with this image http://4.bp.blogspot.com/-G-MF-A05uSs/U2CA_n8IKfI/AAAAAAAAAZ... He claims it could be three possible hotels from that area. Yet it can actually only be one because there is only one hotel on that side of the road (you can see the road below). I went from that picture I just posted to the actual location without reading the rest of the blog. I have never stepped foot or even seen a photo of Miami. Those buildings are extremely unique. Once I found those buildings, I moved the view around in Google Maps to get me the EXACT point of reference which could have been two different hotels. but Like I said, only one on the correct side of the street.

On the second example, I was able to locate the picture simply by Google Maps. There aren't many buildings with domes on the top of it that is basically right next to water. It took me 3 minutes. Once I found it, I lined up the shot and found the building. There was only one it could have been. With a quick google search. To find which floor the picture was taken on, all I had to do was find which floor was completely straight in the photo (which means he was leveled with that floor) and then translate that height to the other building (by guessing). I guessed floor 17 which was one off and was the exact same guess as the blogger.

Basically, the blog post makes it seem he uses reflections to find where buildings were. In reality the reflections were not useful to locate the building, only to find interior shots after the location is discovered.

-----


TL;DR Be mindful of reflections when taking a picture.

"Conclusion

Clear and simple: the reflected images in pictures might disclose information that you wouldn’t be willing to share, such as your location or other personal details."

-----


Whilst this could be the case in some photographs, like reading reflected documents or personal information, the ability to see a reflected light and a photo frame which therefore narrows your location down to one of 30-40 identical hotel rooms doesn't seem like personal information to be wary off.

You're far more likely to inadvertently reveal personal information in the background of a photo of your actual hotel room that you are from looking out the window.

-----


reflected images in pictures might also disclose that you just got out of the shower and didn't bother to put on any clothes yet....

-----


Think beyond the work-safe examples and imagine forensic uses. Children being traffiked and abused in hotel rooms would be one example.

-----


I suspect child abusers generally move out of their landmark hotel room before sharing compromising pictures on the internet (and generally hang around in much less high-profile locations, for obvious reasons). Admittedly it would be a lot more forensically useful if the image had accurate metadata showing date taken.

I was hoping for something clever involving algorithms picking up subtle reflections that weren't visible to the naked eye and or algorithms automagically matching photos with other photos taken from similar angles, but this is Google-fu 101. If you tell people which city you're in and post a photo of the centre, people will probably be able to figure out where it was taken from. That applied long before the age of the internet and digital photography.

-----


Situations where criminal activity took place would usually include police (with child trafficking, more likely even the FBI). To think these ideas or photo analysis techniques are new to LE is naive.

-----


Granted that posting a pic from your hotel room, with emphasis on outside view doesn't leave a lot to be guessed but the author has done some reasonable sleuthing to be accurate, let's give him credit for that.

-----


I stopped reading when I saw the Vancouver photo. I mean, you probably know exactly where that is even if all you've done is fly over Vancouver, let alone been downtown a couple times.

-----


if they post on Twitter, probably they want you to know they are in some fancy hotel. And if you know the skyline very well, you can deduce which one.

What is really good here is that he went through all the steps in the deduction. Most people will not take the time or patience to pick the landmarks and do the perspective.

As for the article, I didn't know Google Earth was so extensive and I learned some interesting geologic features of Miami!

-----


I thought it was cool detective work and proved a good point, despite not being "particularly ingenious".

-----


Using the reflections as additional information is very interesting. However, I’m not that surprised that views from windows can be relatively easily located. Andrew Sullivan has been running his View From Your Window contest for four years now and people have been guessing the locations of the photos with scary accuracy (as good as in the linked post).

Here is the archive: http://dish.andrewsullivan.com/vfyw-contest/

Still, it’s probably more than 15 minutes work even in the best case scenario (and much, much longer in the worst case), can probably not be automated in any meaningful way (but that would be an interesting project, huh!) and is consequently only of interest to dedicated attackers, not general surveillance.

-----


And he doesn't even give a starting city or country. His readers have to narrow down the location using street signs, building types, car types, and other subtle hints. So if you don't want people to find you don't post pictures of where you are.

-----


> So if you don't want people to find you don't post pictures of where you are.

This cannot be said enough.

It's definitely worth educating people to the kinds of things they're exposing when publishing things like vacation photos, but most people shouldn't have a need for that level of information security.

-----


"Finally, do not forget that a reflection could be your enemy."

On a tangent - I didn't realize that the google maps 3D rendering has gotten so good over the last couple of years. I wonder how hard it would be to scrape the point data and satellite textures to source a GTA map, I'd love to cruise through actual Vice City with the GTA V engine.

If you haven't checked it out yourselves - breath-taking WebGL view of Miami (Chrome, OSX):

https://www.google.com/maps/place/Miami,+FL/@25.7747883,-80....

-----


If you're on OSX, try it out in Apple Maps, I find their 3D views superior to Google's and it's been available in more locations that I've looked at.

On the iPad you also get more control over viewing angles, I was surprised that you lose that on the desktop.

-----


Hold the 'Ctrl' key and you can use the mouse to rotate to any angle you like.

-----


Not the first time this has caught people out. (slightly NSFW) http://www.messandnoise.com/discussions/4112452

I refuse to believe some of these are "accidental".

-----


This reminds me, can't find it right now, but there is a picture circulating on Twitter of a safari park warning sign:

"Please make sure you turn off location and be careful about sharing photos of our rhino on social media, you may give away its location to poachers"

-----


https://twitter.com/robinsloan/status/463343201865048064

-----


Trying to find the source of that image - Google lists it on a few tumblrs going back to 2010 (tumblr apparently started in 2007, who knew) - except when you go to the oldest of them it's only just been posted, today, not 2010. Google never seem to have been able to do dates reliably.

-----


Thanks dude. That bush to the right is a rare plant that only grows in a 600 sq miles radius in a known part of Africa. The recon guys are already there and they said they've found the only manufacturer of plastic signs around that area that uses that font as the default one. Now they are "talking" to him about his customers. Once we have certain coordinates, we'll send them to our team of guys with guns on the ground and to the extraction and cargo transport teams. I can already feel the sweet smell of freshly powdered rhino horn :)

In the olden days we would have had to track the guy who took the picture and have a lengthy private talk with him, risking to expose ourselves in a "lawful" country, but this makes it so much easier...

-----


This reminds me of the child pornography case a few years back, where detectives were able to identify the hotels where the abuse took place via imagery of the rooms.

Interestingly, rather than figuring it out themselves (as the search space was too huge), they crowdsourced it by releasing images with the child photoshopped out.

-----


Point is: when you post a view or a location name that's when you want to tell the world where you are. I'm not inadvertently revealing my location I'm very much advertently revealing it.

I assume there are much more creepy techniques to tell where I am when I don't explicitly reveal it.

-----


If it comes to stalking someone, why just a hotel picture? Any picture, and previous context (e.g., "Miami, I am here"), can be tracked down to the exact location.

-----


I was going to say the same thing. This has little to do with hotels or reflections. Any picture at all with a skyline in it, given a good enough 3D map and some software (maybe the NSA has some already?), should be enough to pinpoint you pretty closely, depending on the nearness of the skyline and the quality of the picture.

-----


Views out the window are also very useful for finding the exact location of real estate for sale or rent, when the ad only shows an approximate location.

-----


I'll be taking this material and creating a tutorial "101: How to stalk a celebrity and make them feel slightly uncomfortable"

However, in all seriousness, nice levels of deduction going on here and only slightly creepy tweets :)

-----


So, 99.9% of the information was gathered based on the actual photo, and .1% of it confirmed with reflections. Impressive. Hmm, this picture of a landmark came from the building near the landmark. How did you get that with just reflections?!?

-----


With a set of photos of the same static scene, it's possible to figure out the camera position, angle, and focal length of every camera, sometimes to millimeter accuracy. You just have to correlate the same features in each frame, then solve it.

3d motion trackers do this. (Blender.org has one. You can solve this same problem using it. Bring in public and street view photos of the area. It's a bit of manual work to put all the images in a movie then go frame by frame and tag features... But you could get much more accurate than the article.)

The power is in having access to large databases of photos of everywhere, and even better if all the photos were taken the same way, like google's street view... and large amounts of computing resources to index and correlate all of the features from all of the images automatically.

I would be surprised if there is not a project in some huge company or lab that can identify features in nearly any public outdoor shot and determine exactly where it was taken. (perhaps for intelligence or forensics)

I believe this paper introduced me to the idea in 2006: http://research.microsoft.com/en-us/um/redmond/groups/ivm/ph...

-----


This is pretty neat, I wonder how hard it would be to automate using gmaps for an approx location.

-----


This is hardly "inadvertently" revealing your location: (1) they've told you where they are (extra from the actual Tweets, not the photos) and (2) these places are all near well-known landscapes.

I mean good job on taking the time to actually do it but I doubt this could be done for the vast majority of photos like this.

-----


As a countermeasure, the article notes turning off lights and so forth. Seems the author hasn't heard of polarized lenses. Others note that it's not a real security concern, no, but using a FLD lens will result in better photos when shooting through glass! Use it!

-----


This only seems useful if it is automated and extremely fast. If you are law enforcement there are faster ways to do this. Like just calling in the city the "bad" guy last checked in at.

And if you aren't, there are much easier ways to get info on the room someone is using, like social engineering. Which I'd actually one if the examples the author gave when he simply asked the victim in twitter what floor he/she was on.

I haven't seen criminal scenarios where the bad guy takes a photo if his view or checks in on four square, that doesn't get rounded up fairly quickly.

-----


Wait till the author can tell what you ate based on spectroscopic analysis of the reflection from the building across the shore. A la CSI syle.

-----


"Zoom in and enhance"

-----


Techniques like superresolution make this quite possible from a grainy video image: en.wikipedia.org/wiki/Superresolution

-----


A case for always using polarizing filter ;-)

-----


From the title of the article I expected this to discuss a computer vision related technique for enhancing the camera location using reflections.

Using techniques similar to those in photosythn, you can already determine camera location fairly accurately and easier than the manual work done by the article's author.

-----


There may come a time when indoor pictures could reveal your location as well. If you were to create a database of lots and lots of architectural plans, you could conceivably use computer vision algorithms for determining dimensions of a room as a few more known bits of entropy for identifying an indoor location.

-----


Possibly more interesting:

Research shows eye-reflections in photos could be used to identify criminals:

http://www.engadget.com/2013/12/29/eye-reflections-catch-cri...

-----


Dual Photography has always been the optical "trick" that's blown me away. Here's the demo video from Siggraph in 2005:

http://www.youtube.com/watch?v=p5_tpq5ejFQ

Skip ahead to 4:19 for a succinct demo.

-----


Well, unless I know there is somebody out to kill me, why would I care about giving away my location?

-----


e.g. "Finally safe from abusive ex, locked my door, staring out the hotel room window [pic]", or myriad other imaginable scenarios.

-----


When you're put into protection (including from abusive spouses), the first thing the agencies involved do is tell you not to contact friends nor relatives. Posting a picture of their accommodation on social media would be the stupidest thing they could do - reflection or not.

So if they proceed to do this even after being advised not to; then I have to question if subconsciously they really do want to be caught (it's saddening just how emotionally dependant victims of abuse are on their abusers).

But this is now taking a tangent onto a whole other topic.

-----


What if they just ran away on their own? Anyway the point is there are plenty of situations where you'd want to hide your location but might erroneously think a photo from your window doesn't reveal too much info.

-----


"> What if they just ran away on their own?"

Happens less often than you'd hope. Usually such victims require support from others.

"> Anyway the point is there are plenty of situations where you'd want to hide your location but might erroneously think a photo from your window doesn't reveal too much info."

I'm sure there might be some fringe examples, but "plenty"? Nobody has yet suggested even one plausible example so far. And even the examples in the article were from people who didn't care about revealing their location to begin with (eg in the first example, the subject announced he was in Miami as well as taking that picture).

But I'm sure there are some examples of people stupid enough to share a picture of their location and not realise it might reveal their location to other people; I'm rarely surprised by the stupidity of the worst case scenarios. But I also doubt those sorts of people who lack even that level intelligence would be the kind to people who read articles like these. So whichever way I look at it, I can't see anyone's life saved (metaphorically nor literally) by the research conducted by this author (as interesting as it might be to many of us).

-----


You might reveal your location but the person spying on you would have to be a stalker and a total creep, who basically have no life and nothing interesting to do. That's more scary than taking pictures with reflections IMO

-----


I would think a person would be more concerned about other things (not location) being relieved in the reflection. Like the strippers you have in the room. Or the drugs.

-----


Also, taking photos of meals you are eating can inadvertently reveal your dietary choices.

Look at that burger - you can see from the menu that this is a vegetarian restaurant - that means that the 'meat' isn't really meat at all but a bean and nut mixture.

-----


My takeaway: if you want to throw creepers like this guy off your trail, harvest a hotel picture from the internet and post it to your Twitter account.

-----


There is nothing inadvertent here.

-----


I was halfway through the article before I realized it wasn't going to be about a security vulnerability in MS Windows!

-----


Who cares?

-----


Reminds me of the ridiculous enhancement processes in Hollywood. Except this time... it's real.

https://www.youtube.com/watch?v=LhF_56SxrGk

-----


What do you mean, Hollywood? Red Dwarf was made in the UK.

https://www.youtube.com/watch?v=6i3NWKbBaaU

-----




Applications are open for YC Winter 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: