Creepy app signals an end to privacy

Creepy, a package described as a 'geolocation information aggregator,' is turning heads in privacy circles, but should people be worried? We chat to its creator, Yiannis Kakavas, to find out what's going on.

Creepy is a software package for Linux or Windows - with a Mac OS X port in the works - that aims to gather public information on a targeted individual via social networking services in order to pinpoint their location. It's remarkably efficient at its job, even in its current early form, and certainly lives up to its name when you see it in use for the first time.

You can enter a Twitter or Flickr username into the software's interface, or use the in-built search utility to find users of interest. When you hit the 'Geolocate Target' button, Creepy goes off and uses the services' APIs to download every photo or tweet they've ever published, analysing each for that critical piece of information: the user's location at the time.

While Twitter's geolocation setting is optional, images shared on the service via sites like Twitpic and Yfrog are often taken on a smartphone - which, unbeknownst to the user, records the location information in the EXIF data of the image. Creepy finds these photos, downloads them, and extracts the location data.

When the software finishes its run, it presents you with a map visualising every location that it found - and that's when the hairs on the back of your neck go up. While the location of an individual tweet might not reveal much, visualising a user's history on a map reveals clusters around their home, their workplace, and the areas they hang out. Everything a stalker could need, in other words.

Creepy is the brainchild of Yiannis Kakavas, a 26-year-old academic working on his thesis on critical infrastructure protection at Technischen Universität Darmstadt in Germany following his completion of an MSc in information and communications security at the Royal Institute of Technology in Stockholm.

Originally from Greece, Kakavas is passionate about information security - as his academic history attests. "My interest in geolocation stems from the privacy issues that arise from the use of geolocation-aware social networking platforms such as Foursquare or Twitter," he explained to thinq_ during our interview - and it's an interest that has led to a fascinating creation.

"The purpose in creating Creepy was twofold," Kakavas explained. "First, to try and raise awareness about privacy in social networking platforms. I wanted to stress how 'easy' it is to aggregate all the seemingly small and innocent pieces of data people are sharing into a 'larger picture' that potentially gives away information that users wouldn't think of sharing. For example, where do they live, where do they work, where and at what times they are hanging out, when they are not at home et cetera. I think that sometimes it is worth 'scaring' people into being more careful on how much they share online.

"Secondly, I wanted to create a tool for social engineers to help with information gathering. I believe Creepy can be of real use to security analysts performing penetration testing for the initial process of gathering information about the 'targets' - information that can be used later for a number of purposes."

The sheer quality of the information Creepy is able to pull out from people's social networking accounts is astonishing - and the tool took Kakavas a mere month to produce, using publicly-available libraries like osmgpsmap, tweepy, and pyexif2 to speed up development. It's something that Kakavas hopes will make people sit up and take notice about the things they share so freely on social networking sites.

"Everything is location aware these days. Your mobile phone has a GPS receiver, your social networking platforms want to know where you are," Kakavas warned. "There is the category of users who sacrifice their own privacy for exhibitionism. I don't agree with them but at least they do it consciously, and they have to bear the consequences. Then there are the people who share sporadically some of their information, thinking that it can't go wrong.

"The above two categories are the ones who need to be 'scared' and understand what someone with malicious intentions can do with their publicly-shared information, no matter how much they think they share. Lastly there is the category of people who might not know exactly what geo-tagging is, and clicked 'allow' in the 'Twitter app wants to use your current location' prompt without really paying attention. Those users need to be educated, warned about the potential risks and to become aware."

Kekavas admits that the release of the tool might prove unsettling, with many likely to view it as an invasion of privacy despite its use of publicly-available information. "They are right, it is unsettling," he confesses, "but they need to understand that what is unsettling is the fact that they give out that much private information, not the fact that services like Creepy can aggregate this information.

"Users should be educated and warned about the risks before they choose to use any location aware service. It's a constant fight between our right to be 'left alone' and our need for exhibitionism. Let's see which one wins."

The Creepy tool, which is released under an open source licence, can be downloaded from the project website.