April 15, 2011 at 9:00 AM ET
You probably know that some Internet and cell phone applications like Foursquare or Twitter can broadcast your location to the world. And you might know that Web sites with names like PleaseRobMe and ICanStalkYou have been created with shock value in mind to call attention to the potential consequences of broadcasting such information. But those sites picked on random individuals and exposed their whereabouts one at a time.
A new software tool created by Greek programmer Yiannis Kakavas goes much farther in the shock category. Called "Creepy," Kakavas' tool makes it easy to gather all the location-based digital breadcrumbs that people leave online and plot them on a map. The map and associated time stamps make it easy to discern their routines -- "It looks like Bob goes to this coffee shop every Friday morning around 10:30" -- a tool of incalculable use to a would-be stalker. For Web users who loyally leave breadcrumbs everywhere ("Now at Whiskey Bar!" "Now at Park Diner," "Finally home") it's possible to recreate much of their daily lives using Creepy.
What's more, unlike ICanStalkYou, users can search for any Foursquare, Twitter or Flickr user they want. Kakavas tool also adds a handy handle-search tool, in case you only know your stalking subject by their real name.
When I reached Kakavas in Germany, where he is finishing his dissertation on computer security, he took pains to make clear he wasn't trying to make life easier for stalkers.
"I was trying to make a point," he said. "I'm trying to raise awareness among users of social networking platforms that they actually do share a lot of information and this can potentially be used by people with malicious intentions."
The name, by the way, derives from the programming language he decided to use when writing his tool -- python, which creates files with the extension .py. So the name for the program, strictly speaking, is Cree.py.
The tool takes only a few moments to download. There's a Windows version along with more hacker-friendly Linux versions. Users simply enter a handle, hit "Geolocate," and then sit back and wait for results. "Hits" can come from moments-old Tweets or Flickr images posted months ago. The hits then are plotted on a map, similar to the markers that appear on Google maps after a search for a restaurant. Clicking on a single hit allows a user to zoom in on a precise location, and offers the time and any media associated with it, such as "Enjoying lunch with @RedTapeChron."
No one should be surprised that their location data ends up on Creepy -- software tools like Twitter are deliberate in asking consumers if they want to post their location and it's not hard to turn the feature off. Clearly, people who tell Foursquare where they are located know they are sharing this information with the world. Still, it's jarring to see all your location declarations plotted on a big map.
But is it dangerous? There are no shortage of breathless local television exposes suggesting that cell phones are telling pedophiles where your children's bedrooms are.
The fear might be exaggerated, but if it gets parents to think twice about promiscuous use of social media, that's fine.
To get a realistic view of how scary Creepy is, I called someone I know who's an avid location service user and asked if I could "stalk" her. She agreed.
Kelly Collis runs a local online deal-a-day service called CityShopGirl, which is a bit like Groupon or Living Social, but only for the Washington D.C. area. She focuses on telling women about luxury experiences like "Make-Up Monday" at a local spa or a "Hammers and High Heels" event at a local hardware store. Telling followers her whereabouts is part of her marketing strategy – and, frankly, her credibility.
"I think it's good for my business," she said. "I want people to know I'm trying that new bar, at that hot event, and sometimes I want people to know who I'm with."
A search for Collis on Creepy turned up nearly 100 hits, showing she has a clear predisposition for the Georgetown and Dupont Circle neighborhoods. In fact, it's easy to tell that she's often near M Street, Georgetown's retail area, or Connecticut Avenue, the main drag through Dupont. I sent her screen shots of these findings, and some examples that were even more specific. Like this: At 8 p.m. on Feb. 4 she told followers she was at Whole Foods in the Glover Park neighborhood, and that "Some dude was just kicked out for sneaking a beer in the seating area."
Collis said the results were "a bit unnerving," but in general, she was undeterred from using location services.
"I know the rules of the social media. If you want to go out and play, you have to know people are watching," she said.
She's careful not to check in and broadcast her location incessantly, so she doesn't leave a complete trail of breadcrumbs behind her. In fact, she only checks in to specific places "with a purpose" in mind, to let readers know she's really out pounding the pavement, looking for new deals and hot spots. She has two children, but never uses location services when they are with her, and she never checks in from anyplace alone.
"I am constantly updating myself on privacy policies and settings, but even then ... you have to know when you play in social media, you are exposed to consequences, and you may not know what those consequences are," she said.
And she has faced consequences. She once received a text message from a stranger who found her cell phone number online -- she thinks from an errant display on Foursquare, which she has now removed -- and got a message saying, "I know you're (at a bar), I'm going to come meet you."
She blocked the user, and never heard from the stranger again. Despite the experience, she believes in the positive potential of location services.
"The other night I was home doing nothing and saw on Foursquare that two of my friends who didn't know each other were at the same place," she said. "So I texted one of them and said, 'Hey, you should go over and talk to (him).' He did, and they ended up hanging out all night."
But Collis is both a believer and an expert user of social media. It's easy to imagine others being much more alarmed at what they find about themselves using Creepy. It's trivial to plot regular location service users on a map and determine when they normally arrive at work and when they get home.
"The name Creepy doesn't refer to how scary the tool is, it refers to how scary it is that people willingly share this amount of information about themselves, information that in other contexts they would treat much more carefully," said Kakavas, the programmer.
Kakavas said he hasn't received any negative feedback since he released the tool earlier this month. In fact, he's gotten a lot of support from programmers in the computer security world, who right away picked up on the other function Creepy offers – a tool that could make hackers' social engineering efforts much easier.
"Say you are a security expert and you are hired to evaluate the security a company," he said. "You pick (an employee of the company who uses location services), then using Creepy you can deduce where he has morning coffee, or his favorite club. ...Then you can try to create a pretext for the target using this information."
For example, you could learn that a certain employee is always on Interstate 90 heading to work at 8:45 a.m. One morning, when traffic is particularly bad, you could call the company and say, "I have an emergency. I'm stuck in traffic and need that big presentation. Please e-mail it to me at my private address so I can access it in the car."
Or, a simpler trick might be to visit the target at his or her favorite coffee shop or restaurant and "shoulder surf" for critical information – a task made easier by knowing precisely when to expect the target.
"It's a whole different level when we can combine all this information about use of these services over time and can create a profile of user habits," Kakavas said. "Many people just don't realize how much they've been sharing."
RED TAPE WRESTLING TIPS
It's important to note that all information which Creepy finds is already available to anyone with a Web browser – Creepy merely aggregates it. Social media users have offered the data to the world by agreeing to broadcast their location.
In general, I think use of these services is a bad idea -- the potential for unforeseen consequences is enormous. Who knows what it might look like eight years from now that you were "Partying at Whiskey Bar with @JimmyS @BobbyV and @HornyFrog?"
But Collis points out one of the many potentially fun ways to use services like Foursquare. If you must, review your privacy choices carefully -- Twitter users can restrict who sees their location broadcasts, for example, and it's smart to pick the most limited group. Doing so foils Creepy's efforts to follow you.
Check your privacy settings more than once. Internet services are famous for "upgrading" privacy settings that lead to accidental disclosures.
Twitter also offers a handy button that allows users to delete all location information they've ever posted. That's a good idea. What positive use is there for three-month-old location data attached to your tweets?
That reinforces the most important point here: It can be perfectly innocent and safe to check in to conference or a club and look for nearby friends, when viewed in isolation. But privacy choices can have far-reaching, unpredictable consequences. When will a marketing company start barraging you with ads because of the places you shop? When will a health care company raise your premiums because you went out too often when you were young? Unless, like Collis, you know exactly what benefit you're getting and you're willing to deal with the occasional stalker, why take that risk?