Computing Profession BLOG@CACM

Modern Tech Can’t Shield Your Secret Identity

Jason Hong considers how modern computing technologies would undermine superheroes' anonymity.

Posted
CMU Professor Jason Hong

https://bit.ly/3HBVEJd January 24, 2022

Most comic book superheroes have a secret identity, usually to protect their friends and family from retribution. However, today’s computer technology would make it impossible for a superhero to maintain their secret identity.

Take Spider-Man, who has a habit of diving into an alley to change into costume. However, video cameras are pervasive in New York City, which could easily capture video of him donning his mask. The New York City Police Department operates over 15,000 surveillance cameras,1 but there are thousands more Webcams controlled by residents and commercial entities. Worse, many of these cameras are small and sometimes hidden in everyday objects, making them difficult to spot.

Drones pose a major risk for vehicle-based superheroes like Batman. Gorgon Stare is a “wide-area surveillance sensor system” in which a drone flies over a city and continuously captures images below.2 This makes it possible to track cars in real time, as well as trace their paths backward in time. Gorgon Stare was initially deployed in Iraq and Afghanistan for counter-insurgency purposes, but is believed to have already been deployed in the U.S. with little oversight. These and other citywide surveillance technologies would make it trivial for an organization with enough resources to track Batman back to the Batcave.

Superman faces risks from large-scale facial recognition technologies. There’s a humorous meme3 of Lois Lane uploading to Facebook a photo of Superman rescuing her, and is asked “Want to tag Clark Kent?” While Face-book recently shut down its face recognition,4 there are many other systems commercially available. Perhaps the most prominent is Clearview AI, which has caused a great deal of controversy by crawling social media sites to get pictures of millions of people’s faces without their consent.5

Ms. Marvel is a popular new superhero, but she doesn’t do herself any favors by carrying her cellphone with her. Every cellphone needs to connect to a nearby cell tower for service, and these connections are recorded. An analyst could easily filter these records based on confirmed sightings of Ms. Marvel and narrow down which cellphone is likely hers. In practice, many requests for cell-tower data are made by law enforcement agencies after a warrant is obtained. T-Mobile reported having 459,989 such requests for cell tower data in 2018.6

Many smartphone apps also collect GPS location data.7,8 Some apps have reasonable purposes, for example getting local weather or geotagging photos. However, a large number of apps collect data for advertising purposes, which are used by advertising companies in surprising ways. For example, one company used their data to create a map of people who were in Fort Lauderdale, FL, for spring break and where they went afterward to show how easily COVID could spread.9 In our team’s research, we found many app developers were unaware their own apps were collecting so much data, it being primarily collected by third-party advertising libraries those developers included.10,11 In fact, we found over 40% of requests for sensitive data by smartphone apps were because of third-party libraries.

Smartphone operating systems also collect location data. This location data is used to help map out cell towers and Wi-Fi networks, to help other smart-phones figure out where they are. However, this location data was collected without users’ consent or even awareness, which led to Apple and Google executives testifying to Congress.12

Wi-Fi and Bluetooth also pose risks for superheroes. Both Wi-Fi and Bluetooth have mostly unique MAC addresses, which can be used to track specific smartphones. Many smartphones periodically send out probe requests to connect to previously connected Wi-Fi networks, which leak those MAC addresses as well as the names of the Wi-Fi networks they are trying to connect to.13 A villain capturing this data might be able to figure out the name and possibly location of the superhero’s home Wi-Fi network.

Smartphones aren’t the only device superheroes need to watch out for. Apple’s new AirTags are small and inexpensive devices that use Apple devices worldwide to track those AirTags. While these devices were intended to help people find their keys and luggage, some individuals are using them to target expensive cars for theft or to stalk people.14 A villain might slip such a device onto a superhero’s costume or vehicle to track them. Iron Man would have enough technical savviness to detect these trackers, but Hawkeye probably would not. Apple has some counter-measures built in, for example, iPhones will notify their owners about possibly being tracked, but this only works for iOS and only after 8 hours.

Comic book fans love debates about almost-pointless topics, like who would win in a fight or who has the best sidekick. One could argue about how Superman could avoid this kind of face recognition, or how Spider-Man’s Spidey-sense would help him avoid that kind of tracking. But, this blog post isn’t really about superheroes, it’s actually about our current reality and just how widespread surveillance technologies are.


Superheroes worry about having their identities revealed, while the rest of us in the real world worry about surveillance technologies and how they can be easily abused.


Superheroes have to worry about having their identity revealed, but the rest of us in the real world have to worry about just how much surveillance technologies and information about us is out there, and how all of this can be easily abused—sometimes accidentally, sometimes intentionally—by advertisers, governments, employers, stalkers, criminals, and more.

These are not hypothetical concerns, either. There was a father that learned his teenage daughter was pregnant because of predictive ads.15 There was a priest that resigned because someone outed him as gay based on purchased location data.16 There was a Black man arrested due to a false positive in face recognition software.17 Domestic spying tools were used by police in Black Lives Matter protests—including drones, face recognition, automated license plate readers, and Stingray devices to capture cellphone data18—despite the vast majority of those protests being peaceful. There have been multiple cases of intimate-partner violence using smart technologies.19,20 There was NSO Group’s Pegasus spyware used against journalists and human rights activists.21 There are probably countless more technologies authoritarian governments deploy against their own citizens.

The challenge is that there are legitimate uses for many of these kinds of tracking technologies. However, despite a great deal of research and discussion, we still lack the user awareness, regulations, public policy, technical tools, auditing support, ethics, social norms, and economic incentives to steer us away from the worst uses. And, unlike comic books, there isn’t a Justice League or an Avengers that can save us. The problem is not an incursion by a cosmic being, or an alien invasion, or schemes by a Republic serial villain. This is a problem fully of our own making, and the only ones who can fix things is us.

 

    1. Tucille, J.D. New Yorkers are watched by more than 15,000 surveillance cameras. Reason, June 7, 2021. https://bit.ly/3gIpjEo

    2. Michel, A.H. Eyes In The Sky: The Secret Rise of Gorgon Stare and How It Will Watch Us All. Mariner Books. 2019.

    3. Superman - Want to tag Clark Kent? https://knowyourmeme.com/photos/1218277-superman

    4. Ingram, D. Facebook to delete 1 billion people's 'facial recognition templates'. NBC News, Nov 2, 2021. https://nbcnews.to/3sygjYl

    5. Moyer, E. Clearview AI set to get patent for controversial facial recognition tech. C/Net, December 4, 2021. https://cnet.co/3oHz8al

    6. Whittaker, Z. T-Mobile quietly reported a sharp rise in police demands for cell tower data. TechCrunch. July 12, 2019. https://tcrn.ch/3gwETTM

    7. Valentino-DeVries, J., Singer, N., Keller, M., and Krolik, A. Your Apps Know Where You Were Last Night, and They're Not Keeping It Secret. The New York Times, December 10, 2018. https://nyti.ms/3srLO6a

    8. Thompson, S., and Warzel, C. Twelve Million Phones, One Dataset, Zero Privacy. The New York Times, December 19, 2019. https://nyti.ms/3gyJ94W

    9. O'Sullivan, D. How the cell phones of spring breakers who flouted coronavirus warnings were tracked. CNN, April 4, 2020. https://cnn.it/34ObJwy

    10. Balebako, R., Marsh, A., Lin, J., Hong, J.I., Cranor, L.F. The privacy and security behaviors of smartphone app developers. Workshop on Usable Security (USEC 2014). https://bit.ly/3oEWSMl

    11. Chitkara, S., et al. Does this App Really Need My Location? Context-Aware Privacy Management for Smartphones. IMWUT 2017. https://dl.acm.org/doi/10.1145/3132029

    12. Pepitone, J. Apple and Google get grilled on privacy. CNN, May 10, 2011. https://cnn.it/3GGRq1w

    13. Gallagher, S. Where've you been? Your smartphone's Wi-Fi is telling everyone. [Updated]. Ars Technica, November 5, 2014. https://bit.ly/35UNkpK

    14. Mac, R., and Hill, K. Are Apple AirTags Being Used to Track People and Steal Cars? The New York Times, December 30, 2021. https://nyti.ms/3HY31Lf

    15. Duhigg, C. How Companies Learn Your Secrets. The New York Times, February 16, 2012. https://nyti.ms/3gASOIm

    16. Associated Press. Priest outed via Grindr app highlights rampant data tracking. USA Today, July 23, 2021. https://bit.ly/3rISJJc

    17. Allyn, B. 'The Computer Got It Wrong': How Facial Recognition Led To False Arrest Of Black Man. NPR, June 24, 2020. https://n.pr/3gFu5Ts

    18. Reichert, C. House Dems demand FBI, others stop spying on Black Lives Matter protests. C/INet, June 9, 2020. https://cnet.co/365lcAt

    19. Freed, D., et al. "A Stalker's Paradise": How Intimate Partner Abusers Exploit Technology. CHI 2018. https://bit.ly/3rEcP7i

    20. Bowles, N. Thermostats, Locks and Lights: Digital Tools of Domestic Abuse. The New York Times, June 23, 2018. https://nyti.ms/3oEFoPW

    21. Benjakob, O. The NSO File: A Complete (Updating) List of Individuals Targeted With Pegasus Spyware. Haaretz, January 20, 2022. https://bit.ly/34O0W5E

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More