Man Creates "Creepy" Stalking App

An anonymous reader writes "Creepy, a package described as a 'geolocation information aggregator,' is turning heads in privacy circles, but should people be worried? Yiannis Kakavas explains why he developed his scary stalking application. Creepy is a software package for Linux or Windows — with a Mac OS X port in the works — that aims to gather public information on a targeted individual via social networking services in order to pinpoint their location. It's remarkably efficient at its job, even in its current early form, and certainly lives up to its name when you see it in use for the first time."

paranoia ho!

[Vectormatic]

Anyone instantly worried that installing this software in your own machine might also make any data on that machine available for stalking?

It somehow doesnt seem like a good idea to me to trust a programmer proficient at this kind of this without a very very thorough code review first

Re:paranoia ho!

[rekenner]

As opposed to just going "Welp, someone ELSE better look through that code!", I decided to. I'm not going to claim I'm a security or python expert, but I know the latter decently enough to feel safe in saying... ain't nothing there but what it says on the tin.

Re:paranoia ho!

[asto21]

From the 'creepy' site

Location information retieval from :
Twitter's tweet location
Coordinates when tweet was posted from mobile device
Place (geographical name) derived from users ip when posting on twitter's web interface. Place gets translated into coordinates using geonames.com
Bounding Box derived from users ip when posting on twitter's web interface.The less accurate source , a corner of the bounding box is selected randomly.
Geolocation information accessible through image hosting services API
EXIF tags from the photos posted.
Social networking platforms currently supported :
Twitter
Foursquare (only checkins that are posted to twitter)
Image hosting services currently supported :
flickr - information retrieved from API
twitpic.com - information retrieved from API and photo exif tags
yfrog.com - information retrieved from photo exif tags
img.ly - information retrieved from photo exif tags
plixi.com - information retrieved from photo exif tags
twitrpix.com - information retrieved from photo exif tags
foleext.com - information retrieved from photo exif tags
shozu.com - information retrieved from photo exif tags
pickhur.com - information retrieved from photo exif tags
moby.to - information retrieved from API and photo exif tags
twitsnaps.com - information retrieved from photo exif tags
twitgoo.com - information retrieved from photo exif tags

Re:paranoia ho!

[scdeimos]

Anyone instantly worried that installing this software in your own machine might also make any data on that machine available for stalking? It somehow doesnt seem like a good idea to me to trust a programmer proficient at this kind of this without a very very thorough code review first

Knock yourself out. The source code is available from the project page:

• http://ilektrojohn.github.com/creepy/
• git clone git://github.com/ilektrojohn/creepy

Re:paranoia ho!

[Vectormatic]

I appluad you for the initiative, but people can do very very sneaky stuff in code, so your IANAS/PE pretty much means that if the author was anywhere half competent and wanted to do something Evil(tm) he could probably sneak it past you

Which is part of my problem with the idea that open source means it is automagically safe, i know i wouldnt be able to tell if some hardcore C-lib does something less then savory without spending a disjointed amount of time on the needed code-review. You basically assume someone else has checked to see if there arent any malicious things in there, but for 99% of the people, doing a fully fledged code review is unfeasable.

Not that i think this is an argument against open source, i just think the open == secure argument is hardly true

Binoculars are so much cooler.

[SquirrelDeth]

And you can even stalk people who don't use twitter etc.

Re:Binoculars are so much cooler.

[Chrisq]

And you can even stalk people who don't use twitter etc.

Hidden cameras are better still. A nice clock makes a good present .....

Twitter and Flickr

[the_Bionic_lemming]

So, the eula's take everything you post on these services (since you agreed to it), make apps to release the info (that you agreed to release) and this guy is a social phenomena for making a program to track what users freely gave up to join the sites in question?

And this is creepy?

Re:Twitter and Flickr

[Elbereth]

I think that the idea is that we're supposed to

A) Be horrified by the privacy implications of putting all this personal information on the internet, of our own free will
or
B) Laugh at the people who chose A, and smugly congratulate ourselves for not having done so.

Either way, it generates more pageviews for slashdot.

Re:Twitter and Flickr

[mcvos]

It's also supposed to make people more aware of the kind of information they're giving away. Most people just don't think about that sort of thing. Sharing with friends is fun. They have no idea that they're sharing the exact same data (and even more; who even knows about exif data?) with the entire world. And the world does include some very creepy people.

Re:Twitter and Flickr

[ATMAvatar]

Sure, they don't care now. The point of Creepy is to maybe put a dent in the apathy. If a proper news source were to pick this up under the banner of "A stalker could be after your kids using this app!", people might start to care.

Re:Twitter and Flickr

[thePowerOfGrayskull]

Sure, they don't care now. The point of Creepy is to maybe put a dent in the apathy. If a proper news source were to pick this up under the banner of "A stalker could be after your kids using this app!", people might start to care.

Oh please no. Because once that happens, the politicians will get involved. And nothing good can ever come of that.

Not creepy at all

[Rob+Kaper]

If you publish your whereabouts on public streams of social networks, it is publically available. Even the biggest idiot on the internet will grasp that. Has anyone ever thought about the fact that people who check in to a location on Foursquare, post pictures of themselves at that location on Flickr and mention that location on Twitter might actually want the world to know where they are?

Re:Not creepy at all

[rhook]

It just stopped working too, I think Twitter blocked it already.

Re:Not creepy at all

[wvmarle]

They want their FRIENDS typically to know where they are (or, for bragging rights, have been); usually not realising the other potential uses of such information, and how much it reveals about them for outsiders. They don't realise it also reveals where they live, where they work, and when they're usually not at home.

Re:Not creepy at all

[mcvos]

Of course, but have those people ever considered that it might not be very smart to let potential burglars know that you'll be skiing in the Alps for a week?

Re:Not creepy at all

[RichiH]

> Even the biggest idiot on the internet will grasp that.

No.

> Twitter might actually want the world to know where they are?

The world or their friends?

Re:Not creepy at all

[Seumas]

I like the idea that it's okay for government and corporations to data mine you and stalk you, but the individual data mining against the individual is "creepy" and evil and blah blah blah.

Re:Not creepy at all

[nospam007]

"Even the biggest idiot on the internet will grasp that."

But usually only after someone cleans out their apartment while they are on a wedding.

Is this the new wild west?

[a_hanso]

1. Rise of APTs (advanced persistent threats) - SecureID breach, Google China etc.
2. Anonymous, Wikileaks and other activists
3. Firesheep, Creepy and other social media privacy exploits
4. Botnets and other advanced commercial malware
5. Stuxnet and other government actors

.

In the 90's and early 00's it was the Frontier, where everyone gave everyone else a hand. Now, we need to start walking around with six shooters.

The amount of data breaches alone are frightening: http://www.privacyrights.org/data-breach#CP , http://www.databreaches.net/

Ummmm

[Sycraft-fu]

I don't know that this really does much you can't do fairly easily already. So if you have someone's name and city, there is a good chance you can locate them. Why? All kinds of things in the public record you could look up. Own a house? Then there's a record of that publicly available. Phone numbers are normally listed (though with the increase in cell phones that is less common).

What it comes down to is that in a modern society, we are going back to how it was in older, smaller societies: You can have privacy, but you cannot have anonymity, at least not without a good deal of trouble and sacrifice.

So back in the day, with much smaller communities and so on you had an "everyone knows everyone" situation. Not literally, but people were known to a substantial part of the town. As such it was just not possible to be anonymous. Your comings and goings were noticed. Where you lived was known, that kind of thing. If you moved to a new place, again you've be noticed. Short of going and living a very solitary life, you couldn't be anonymous.

Now privacy you could have, easily. If you wanted a private conversation, just walk out in a field where nobody was within earshot. In your house you had almost complete certainty nobody could spy since there was no advanced technology. What you did you could keep private to a large degree. That you were around doing things you could not.

As things grew anonymity became more and more possible. You could just disappear in a large city, go about your business but be unknown and invisible to most everyone.

Well, that is changing back again. Technology is making it such that anonymity is going away. It is just very difficult to make yourself unknowable. Privacy is certainly possible, and the Supreme Court has ruled it is a right and thus the government is required to respect it. However anonymity is pretty hard.

So that an app can find where you live fairly easily isn't surprising at all to me. There's just a lot of public documents on you, and the Internet makes it easy to search them. The information you choose to provide on social network sites makes it even easier.

It is just kinda something we have to accept, unless we want to radically alter how society works.

Also we need to understand that anonymity and privacy are not the same thing. Too many people conflate the two. They think a right to privacy means the right to be totally unknown. Not the case. It means the right to have the specifics of your life secret, not that you are living your life a secret.

What you do in your house is your private business. That you are in your house it not private. You neighbours can watch you come home and leave, and know when you are there. That is 100% legal and ethical. You will not be anonymous. However they can't go and spy on you and see what you are doing. You can still be private.

Re:Ummmm

Yes, I would also like more people to make this distinction. However, I think anonymity is more important than privacy. Either one is enough. With privacy, I can do what I want and noone will know. With anonymity people will know, but it won't matter since they won't know who I am. So the question becomes which one we will be able to rely on in the future. How easy is it for one to have privacy or anonymity?

With email providers and facebook handing out user data left and right, it's easy to know what a person is doing. And while it's not exactly legal to spy on people, spy cameras and wiretaps certainly make it easy.

If I wanted to become anonymous, though, all I would need to do is leave my cellphone at home and only use cash. On the internet, use TOR. If I were to do this, it would be impossible for anyone to identify me, be it legal or not. And that is why I believe in anonymity more than privacy.

Granted, this could only be done occasionaly, and I'm not saying privacy shouldn't be defended. On the contrary, since anonymity is always possible, privacy is what needs defending most.

Re:Ummmm

[Kjella]

While it's hard to put this into a formal definition, there's a different between random observation in public and systemic surveillance. If you had a person that stayed two steps behind you everywhere you went and noticed everything you put in your grocery basket, took notes at the pub how many beers you were drinking, followed you home and knew where you slept and if you brought anyone with you home, most people would be seriously creeped out even though technically it all happens "in public". I'm not so worried about someone actually doing that, maybe you could if you put a whole team of undercover detectives on me but it's not practical to do on any scale.

With technology though the rules change. It becomes very possible to track everyone, all the time with relatively little manpower. Like the EU data retention directive that requires the location of all cell phone traffic be stored for 6-24 months. For a smart phone that checks for mail etc. in the background that's practically 24x7 surveillance, like we've all been radio tagged. For public transport they're pushing for electronic tickets, for private transport there's electronic toll road readers - it's not impossible to travel anonymously, just very impractical. Unless you want to fly, in which case it is impossible.

Same goes with money, they're fighting harder and harder for everyone to use electronic money. If I pay anyone over 1800$ in cash here in Norway, I can be held as an accessory to their tax fraud. What happens is that they don't wrap in surveillance, it's not some extra papers you fill in to have it logged. It's wrapped in convenience - online banks are so much simpler than the way we did before, oh and we keep a copy of all the records too. Same with cell phones, great invention. Oh and it also doubles as your tracking device. If I locked it around your ancle you'd protest, but if I can make 95%+ use it voluntarily 95%+ of the time, we can go after those "must have something to hide" people.

Re:Ummmm

[worf_mo]

I generally agree with you, but I think this part of TFA is interesting:

While the location of an individual tweet might not reveal much, visualising a user's history on a map reveals clusters around their home, their workplace, and the areas they hang out.

This is a bit more than public records about houses and phone numbers - I'd say it is closer to the "everyone knows everyone" situation, where the better part of a town would know what bar you could find John in after work.

I don't find the application creepy, after all it simply aggregates information that is available anyway. I believe that people should be more aware that when using certain services they are sharing a bit more than just their thoughts or pictures. This will be fine for many, but some might prefer to remain a bit less "locatable".

Re:Ummmm

[moonbender]

You distinguish privacy and anonymity, but your definition of anonymity seems flawed. When I run around in a city, my anonymity is still largely maintained: a stranger really has no means to identify my, even the police will have difficulties if I don't volunteer the information (say, by showing them my ID card which are issued to everyone here, but that's beside the point). Because I am anonymous to them, strangers have no shortcuts to getting more information on me, e.g. they can't use the app from TFA to get my movement profile. On the net, anonymity is more difficult, because law enforcement can identify the account owner using the IP.

I guess you're arguing that part of anonymity is that nobody knows where your residence is (and vice versa: nobody knows "who lives in that house over there"). I suppose it's true that in most modern societies, governments have access to that kind of information. I wouldn't attribute that to technology, though. And private individuals at least still have difficulties getting that information, unless you advertise it, e.g. in the phone book. There's a huge difference between information that is available for free and information that's available in return for money or excessive sleuthing.

The privacy impact of the application still looms. Not sure why you focus on it revealing where you live -- it might do that, but it does both more and less. It's simply an effort to gather all the geodata people post (deliberately) or leak (unwittingly). For a careless/unaware user, a large enough amount of images could lead to a fairly complete movement profile available to the world (somewhat related comment about the implications). Even if it's not a thorough profile, it still could lead to lots of awkwardness.

None of this is new, I'm sure most Slashdot users a) are aware that some services leak geodata (e.g. in exif tags), including disabling that feature if they don't want to leak geodata, and b) are able to crawl a lot of a person's data and pull the geodata from it to create a profile from it. This isn't a basic technology breakthrough, or anything, I think it's fairly obvious that the author it trying to build awareness in the same way the Firesheep guy successfully did.

Re:Ummmm

[nanospook]

Yes, but by putting RYAN SEACREAST in the tool I was able to pinpoint roughly 4 hotspots on a map in Hollywood where he sends twitters. You need to consider the geolocation feature of this tool and how easy it was to pull up a map. Most people I know don't bother with twitter but if you are high profile, you should be concerned about this. If a stalker, possibly one with bad intentions (you kicked off my favorite star!!) were to keep on eye on the coffeehouse you visit regularly, he might find it easy to make his point ;)

Python, doesn't work, and link to main site.

[no+known+priors]

A link to the actual site for the program: http://ilektrojohn.github.com/creepy/. Also, this program has copyright notices for 2010. So... (Though admittedly the article is dated 30 March 2011.)

Anyway, yeah, the program is written in Python it seems. And it doesn't even run for me.
Possibly because some dependencies aren't in the Ubuntu 9.10 universe. Bleh.

Anyway, I just wanted to say one other thing. I ain't worried, 'cause I don't use Social Networks! Hah! You crazy stalking types are going to have to try harder to find out about me than that. (Please help, I have no friends.)

Re:Python, doesn't work, and link to main site.

[Jafafa+Hots]

I'm not worried, because anyone that stalks me is bound to find out that I'm creepier than they are.

I'm creepier than they are

I'm not worried, because anyone that stalks me is bound to find out that I'm creepier than they are.

I can confirm this.

This App's rubbish

[Chrisq]

This App's rubbish. I put in Uncle Osama and the places it came up with are nowhere near where he is.

This is not a privacy issue.

[blanks]

Why are people saying this is a privacy issue? It's not. It uses publicly available information that the person freely posts online for the general public to read. Its like saying articles posted in the New York Times is private information of the authors who write for it. This program dosen't even do anything cool like make HTTP requests from state / city govermently run publicly available data.

There are all ready existing applications out there that have all the features this software has and much much more.

Re:Sue-age

[Opportunist]

We're punishing the tool maker for its misuse again? Someone should warn Mr. Smith and Mr. Wesson.

Advanced Forensics Tool

[laxergreg]

This guy got it all wrong. He didn't make a creepy geolocation aggregator; he made an "advanced geolocation forensics tool for use in the intelligence community". Had he labeled it properly and been more greedy, he could be laughing all the way to the bank! He definitely could have taken a page out of the Hoglund/Barr book here.

You don't need an app for that

[SilverJets]

Given the way a lot of Facebook users post anything and everything about themselves, it is not necessary to install this software to digitally stalk someone.