The recent publication of a leaked video demonstrating American security firm Raytheon’s social media mining tool RIOT (Rapid Information Overlay Technology) has rightly incensed individuals and online privacy groups.
In a nutshell, RIOT – already shared with US government and industry as part of a joint research and development effort in 2010 – uses social media traces to profile people’s activities, map their contacts, and predict their future activities.
Yet the most surprising thing isn’t how RIOT works, but that the information it mines is what we’ve each already shared publicly.
Getting to know you
In the above video, RIOT analyses social media accounts – specifically Facebook, Twitter, Gowalla and Foursquare – and profiles an individual.
In just a few seconds, RIOT manages to extract photographs as well are the times and exact location of frequently visited places. This information is then sorted and graphed, making it relatively easy to predict likely times and locations of future activity.
RIOT can also map an individual’s network of personal and professional connections. In the demonstration video, a Raytheon employee is surveyed, and the software shows who his friends are, where he’s been and, most ominously, predicts that the most likely time and place to find him is at a specific gym at 6am on a Monday morning.
Privacy concerns
The RIOT software quite rightly raises concerns about the way online information is being treated.
Since privacy rules and regulations around social media are still in their infancy, it’s hard to tell if any legal boundaries have been crossed. This is especially unclear since it appears, from the video at least, that RIOT only scrutinises information already publicly visible on the web.
The usefulness of some social media tools for mapping a person’s activity are abundantly clear. Foursquare, for example, basically produces a database of the times and places someone elects to “check-in” to specific locations.
Checking-in allows other Foursquare users to interact with that individual, but the record is basically a map of someone’s activities. Foursquare can be a great service, allowing social networking, discounts from businesses, and various location-based activities, but it also leaves a huge data trail.
Foursquare, though, has a (relatively) small user base (around 30 million) compared to Facebook (more than one billion) – although Facebook, as we know, also allows users to check-in by specifying a location in updates and posts. But the richest source of information we tend to share publicly, but not even think about, is our photographs.
Picture this
Every modern smartphone, whether an iPhone, Windows or Android device, by default saves certain information every time you take a photograph. This information about the photograph is saved using something called the Exchangeable image file format, or “exif” data.
Exif data typically includes camera settings, such as how long the camera lens was open and whether the flash fired, but on smartphones also includes the exact geographic location (latitude and longitude) and time that each photograph is taken.
Thus, all of those photographs of celebrations, birthdays, and our kids at the beach all include a digital record of where and when each and every event occurred.
Given that so many of us share photographs online using Facebook or Twitter or Instagram or Flickr, it’s not surprising that RIOT might be able to build a picture of where we’ve been and use that to guess where we might be in the future.
Yet we don’t have to leave this trail. Most smartphones have the ability to turn geographic location information off so that it’s not recorded when we take photographs.
Most of us never think to turn these options off because we don’t think about our social media persisting, but it does. Our social media fragments – our photos and posts – have no expiry date so it’s worth taking a moment when we set up a new phone or account and tweak the settings to only share what you really want to share.
If RIOT demonstrates anything, it’s the fact that information shared publicly online will likely be read, shared, copied, stored and analysed in ways we didn’t immediately think about.
If we take the time to adjust our privacy settings and sharing options, we can exercise some control over the sort of profile RIOT, or any future tool, might build about us.
Peter Ormonde
Peter Ormonde is a Friend of The Conversation.
Farmer
I thought stalking was illegal. Apparently not if you have a suitable government issued acronym.
Do people really understand the costs both to themselves and to society of this incessant chattering?
I continue to be astounded. Which at my age is quite an achievement.
Excellent piece, thanks.
Tama Leaver
Lecturer in Internet Studies at Curtin University
Hi Peter,
I think stalking, like so many terms we drag into the digital world, just doesn't quite translate. The difference between analysing someone's data trail and following them down the street taking notes are quite different, even if the end effect might be very similar. I guess it's yet another area our legal systems are going to struggle to understand in coming years!
CH Soames
Cytogeneticist
There is hesitation in taking the part of anyone who thinks that Chelyabinskaya oblast is unattractive enough to warrant elimination by meteorite, but perhaps it's not inappropriate to let the English language evolve such that 'stalking' with all its implications be deemed to apply to what RIOT is up to.
It would be interesting to know the proportion of social photo sharers have been aware of the .exif geodata their images carried within them. Another term maybe needing clarification across the…
Read morePeter Ormonde
Peter Ormonde is a Friend of The Conversation.
Farmer
I didn't really mean it about the meteorite CH but you've gotta admit that the Russians to have the knack of adorning a bland featureless landscape into a pile of unending ugliness. Everything they do seems to make the place worse.
I'd reckon that stalking involves an element of menace. Just looking isn't enough. And this RIOT business is extremely menacing depending on how it is employed.
Even moreso if - as is suggested elsewhere - that we make such intelligence gathering "inadmissable…
Read moreTama Leaver
Lecturer in Internet Studies at Curtin University
I think the difference between private in a technical sense (ie digital code prevents anyone unauthorised from seeing it) and simply the experience of privacy (ie its private because no one has found it yet) is a tricky one. A lot of our privacy concerns only become apparent once privacy has been 'breached', or at least that's how we experience it, even if nothing has altered on a technical level. Exif data can be incredibly useful, and is often embedded with images, but you question as to how many people know about it is an important one.
Sadly, the balances of privacy in our digital culture are far from straight forward or transparent today!
Judith Olney
Ms
There is also the question of why they, (as in whomever or whatever is using this software), are tracking us. The why could be for something as simple as advertising targeting, as with google ads, or something altogether scarier and nastier.
I've always been very wary of social network sites, and do not hold any accounts with any of them, and most certainly do not post personal information or photos. Maybe I'm just paranoid, maybe I like my privacy, or maybe I don't want some government dept either in this country, or any other, being able to track me so efficiently.
I was told by a wise man once, "its all good fun until someone decides your the enemy".
Peter Ormonde
Peter Ormonde is a Friend of The Conversation.
Farmer
This might give you the inside info on where this bit of gear came from and why Judith ... and I think you are most wise to regulate your information that appears on-line.
http://www.pcmag.com/article2/0,2817,2415340,00.asp
The patent application is specifically directed to identifying and gathering intelligence on "security threats".
All getting a bit Orwellian isn't it?
Judith Olney
Ms
Should read you're instead of your, in the last sentence of the above post of mine :)
Judith Olney
Ms
Ah, thank you Peter. The definition of "security threat" is becoming broader by the minute. Orwellian indeed.
Yoron Hamber
Thinking
Ahh Peter.
A harsh man of few words :)
You are not..
But always fun to read. Keep going.
Felix MacNeill
Environmental Manager
So, where does this leave all that dewy-eyed hopeful insistence that modern media would liberate us and the internet was the best weapon against tyranny, etc.
Did it never occur to any of the techno-utopians that people with a lot of money and access to technical expertise (for example, the US or Chinese governments) would never think of effective ways to counter a few clever hacktivists or wouldn't be able to buy the skills needed?
Robert McDougall
Small Business Owner
It's a leap-frog phenomenon.
First someone creates software that hunts down and collates personal data, then someone creates software that hunts down and deletes personal data.
Legislation is always going to be the dog in the desert with two trees.
Perhaps the focus of legislation should be the uses to which this information is put, I.e. make social data mining results inadmissable
Felix MacNeill
Environmental Manager
Assuming, of course, that the world's spy agencies will actually obey the law...
CH Soames
Cytogeneticist
... but the watched never seem to be quite ahead of the watchers. The watchers are motivated and persistant. Brings to mind dozens of sinister Hugo Weaving clones from some dystopian future vision.
Peter Ormonde
Peter Ormonde is a Friend of The Conversation.
Farmer
What are you alleging here Felix - and where do you live?
Yoron Hamber
Thinking
There is a difference between users and hackers. Users don't care, mostly, if they're tracked. Hackers do :) I've had this disussion with several people finding that the most used answers are, " I have nothing to hide" and "I'm just one of the fishes in the ocean" both appropriate, until someone, somewhere, takes a interest in just you :)
Then they becomes terribly shortsighted, for you as well as for your friends.
Yoron Hamber
Thinking
What makes you think they won't?
Stephen Prowse
CEO at Wound CRC
While this type of analysis is undesirable, it should not be unexpected. The internet is a vast rich source of information, much of which is public, some is valuable and a lot of which is of no value whatsoever. Many people do not understand that placing information on Facebook, Twitter etc is not private; it is like putting up a Billboard outside your house. It is a choice, if you want to remain a private person, turn off your GPS, do not use facebook etc, use cash as much as possible, do not use a mobile phone etc. It is important that people understand the implications of how they live their lives. Data collection and data mining is here to stay in some form whether we like it or not. It is not possible to put information into the public domain and then insist that it not be used.
Dianna Arthur
Dianna Arthur is a Friend of The Conversation.
Environmentalist
I agree with many of the comments made regarding this important topic. One reason I do not use my real name on TC (despite polite request for real names) is that I am able to express a little more of any relevant experience I may have. As for Facebook & Twitter I have fun with that and use it to make contact with friends and people of interest, if I am leaving any kind of revealing trail, it is one of a nature loving, libertarian (in the old meaning of the word) who loathes authority - private or government. I don't think this is a particularly unusual persona, of course if the Federal government should take an even further turn to the far right, I may have to relocate, change my name, go off the grid and try to keep my head down.
I also use search engines such as Duck Duck Go as it is less invasive as Google.