It’s Scary How Easily Photos Can Reveal Things They Weren’t Intended To


If you regularly share snapshots of your life online, turning off geotagging isn’t a very reliable way to keep your location private. Everything seen in the photo — including faint reflections — can be used to figure out where you were with scary accuracy.

Over at Hacker News, there’s an ongoing discussion about an article by IOActive Labs on how simple reflections in windows can reveal more about your location than you were intending to.

In the piece, researcher Alejandro Hernández starts with photos found on Twitter by searching for “hotel view.” Oftentimes the results will be Tweets by the rich and famous showing the gorgeous views from where they’re staying.

Even if the photo doesn’t show the interior of the hotel room, it’s fairly easy to pinpoint a somewhat accurate location based on (1) the buildings seen outside, and (2) the buildings seen in the room’s window reflections.

Using public “open source intelligence” tools such as Google Earth, Google Maps, Google Search, hotel websites, and building information databases, Hernández is usually able to figure out which hotel the photo was captured from, and sometimes even a rough estimate of what floor the photo taker was on. He was able to do this for the photo above:

Hernández guessed the photo was taken somewhere between the 17th and 20th floors of this hotel. Turns out it was captured on the 19th.

Hernández guessed the photo was taken somewhere between the 17th and 20th floors of this hotel. Turns out it was captured on the 19th.

Hernández writes that he wants to “help people to be more careful when taking pictures through windows because they might reveal their location inadvertently.” What else could reflections reveal? Maybe more than you think:

[…] information disclosed in reflections to develop a profile of an individual. For example, if the person called room service (plates and bottles reflected), what brand of laptop they are using (logo reflected), or whether they are storing something in the safe (if it’s closed or there’s an indicator like an LED perhaps).

If you want to reduce the amount of personal information that could potentially be shared, Hernández recommends eliminating reflections when photographing scenes through windows (either by choosing a different angle or by turning off all lights in the room).

As camera technology becomes more advanced, reflections could play an even creepier role in extracting info from photos. Last December, a research study suggested that reflections seen in eyeballs could help unearth evidence in criminal cases.

Glass Reflections in Pictures + OSINT = More Accurate Location [IOActive Labs]

P.S. If you don’t want your location revealed AT ALL, it’s simply better to not share photos online. Anything seen in your photos can help identify where you were when it was captured. To see how easily this is done, just check out the The View From Your Window Contest. Every week, participants try to figure out where a photo was shot using only the things seen inside the frame. The accuracy of the guesses may surprise you.

Thanks for sending in the tip, Earl!

  • Giulio Cosmo Calisse

    On a further note, walking down the street is extremely dangerous for your privacy; hundreds of people gain immediate knowledge not only of your exact location, but everything down to what you’re wearing, and the exact time you’re somewhere! People should stop going out so often

  • Jason Yuen

    God forbid, you capture a trouser-liberated penis in the reflection.

  • Jim Macias

    Who is the target audience for this article?

  • Andy Austin

    I could see how this would apply for famous people. But to be honest I don’t think anyone really wants to find me that badly that they would spend some serious time analyzing reflections. If someone was hell bent on murdering me, well they’ll find me whether I upload photos or not.

  • siva

    This has got to be one of the most stupidest articles ever.

  • Vlad Dusil

    Most spot-on-est comment ever.

  • Jason Yuen

    Well, privacy is an issue that should not be taken lightly. Often people say if they have nothing to hide, they don’t care. Not having something to hide is not a good enough reason to have your privacy violated. Having a “meh” attitude will only make it worse over time and when it really matters to you, it will be too late. If not for privacy, at least pay attention to it for a better photo!

  • fast eddie

    I saw a photo posted on a message board by a Swiss guy who lives in Thun. It was a photo he took on top of a mountain peak. He didn’t say where the mountain was, but I used his home city as a starting point on Google Earth.

    The peak was about 50 km from Thun, but I was able to find it in about 20 minutes by using the georagraphic features in the photo as a reference and following a winding river.

    I was able to virtually perch in the same exact spot he took the photo from. I thought it was pretty cool that I could do that.

    Yeah, I know. Good for me.

  • Rick Scheibner

    One could always avoid taking photos through glass altogether. But that might ruin the whole point of the article, and we wouldn’t want that.

  • Fullstop

    I shall never take photos anywhere around glass again.

  • Oj0

    If someone really wanted to know where I took a photo they could just, you know, ask me.

  • ghost

    At first, I thought this article is about ghost appearing in your photos, muhahahaha….

  • Jigsaw

    That’s Vancouver up there, right? Canada Place corner Burrard Street.

  • Mark Dub

    When it comes to the gov’t breaking privacy laws, I agree 100% with you Jason. You should never have the meh or I have nothing to hide attitude. One freedom lost means more on the way.

    But in this situation.. do I really have to worry about one of my Instagram followers finding out where I am?

  • Jason Yuen

    Probably not. Maybe it’s just me, but I find that people don’t care for their online identities as much as their driver’s license which is why I usually take extra steps to protect it. Putting more identifiable data up on the Internet makes it that much easier for anyone with malicious intent. Often you’ll see password security questions to certain sites contain “What is your mother’s maiden name?” On the surface, it doesn’t look like a problem, but all it takes for that question to become a security risk is an open Facebook profile with your mother listed as your friend for someone to find the answer. Especially now with mother’s day passed and all the “harmless” mother’s day posts that no doubt have mothers tagged in the post. You can bet there is someone, somewhere, right now sifting through this goldmine of data.

    Anyways, I think everyone ought to be careful what they post online no matter how trivial it may seem. At least to the best of their ability. That’s my 2 cents

  • Dave Wilson

    I couldn’t imagine living life this paranoid.

  • Jason Yuen

    Maybe, but then again it’s just exercising caution. Simple things like protect your phone’s contact list by passwording it protects not only you but everyone you know. If you’ve been entrusted with sensitive information from your company, then you have a duty to make sure that information stays private. Nothing worse than having your corporate email address hijacked and used to manipulate your clients into doing something because they received an email from your address. I’ve seen this happen. I know someone who had their work email hijacked and an email was sent to his client instructing them to transfer $5000 to a certain account. The client lost $5k and even if you can recover it, it’s a huge hassle. Anyone looking to specifically target you like that will have had access to your account for some time to collect as much info as possible before attacking. In this case, the attacker was reading the emails and knew exactly what client to target and what amount to use. The money was never recovered.