BLOG@CACM
Artificial Intelligence and Machine Learning

Superhero Secret Identities Aren’t Possible with Today’s Computing Technologies

Posted
CMU Professor Jason Hong

In comic books, most superheroes have a secret identity, usually to protect their friends and family from retribution. However, today’s computer technology would make it impossible for a superhero to maintain their secret identity.

Take Spider-Man, for example. When Peter Parker spots trouble, he has a habit of diving into an alley to change into his costume. The problem is that video cameras are pervasive in NYC, which could easily capture video of him donning his mask. Reason.com reports that New York Police Department operates over 15000 surveillance cameras [1]. But it’s not just NYPD that Spider-Man needs to watch out for, there are thousands more web cams and security cameras controlled by residents and commercial entities. Worse, many of these cameras are small and sometimes hidden in everyday objects, making them hard to visually spot.

Drones also pose a major risk, especially for vehicle-based superheroes like Batman. Gorgon Stare is a drone-based surveillance system that offers what the United States Air Force calls a "wide-area surveillance sensor system" [2,3]. A drone flies over a city and continuously captures images below, making it possible to not only track cars and other objects in real time, but also trace their paths backwards in time. Gorgon Stare was initially deployed in Iraq and Afghanistan for counter-insurgency purposes, but is widely believed to have already been deployed in the United States with little oversight. These and other city-wide surveillance technologies would make it trivial for an organization with enough resources to track Batman back to the BatCave, see who owns that property, and then deduce that Batman is Bruce Wayne.

Superman faces risks from large-scale face recognition technologies. There’s a humorous meme [4] of Lois Lane uploading to Facebook a photo of Superman rescuing her, and Facebook’s face recognition system asks "Want to tag Clark Kent?" While Facebook has recently shut down its face recognition system, in part due to growing laws over use of biometrics [5], there are still many other large-scale face recognition systems commercially available. Perhaps the most prominent of these is Clearview AI, which has caused a great deal of controversy by crawling social media sites to get pictures of millions of people’s faces without their consent [6]. Regardless of what commercial entity wins out in this space, the risk is still there for any superhero that doesn’t have a mask, that they could be identified using these kinds of face recognition systems.

(And yes, I know that, according to Superman #1 post Crisis, Superman vibrates his face at high speed to make it harder to capture a clear view of his face, but he has to keep still for photo ops, right?)

Ms. Marvel is a popular and relatively new superhero, and a fun read, highly recommended! But she doesn’t do herself any favors by carrying her cell phone with her everywhere, especially when she’s fighting off super villains. Every cell phone needs to connect to a nearby cell tower for service, and these connections are recorded by the telco owning the cell tower. An analyst could easily filter these records based on confirmed sightings of Ms. Marvel, quickly narrow down which cell phone is likely hers, and then deduce her identity. In practice, many requests for cell tower data are made by law enforcement agencies after a proper warrant is obtained. While it is unclear how many requests are made per year, one major telco, T-Mobile reported that there were 459,989 requests for cell tower data in 2018 alone [7].

However, it’s not just cell tower data that superheroes need to worry about. It turns out that many smartphone apps collect GPS location data [8,9]. Some apps have reasonable explanations for doing so, for example to get local weather and news. Some social media apps also use location data to geotag photos and posts. However, a large number of apps collect data for advertising purposes. Some of these advertising companies even sell their data. For example, one company used their data to create a map of people who were in Fort Lauderdale for spring break and where they went afterward, to show how easily COVID could spread [10]. In some of our own research, our team found that many app developers were unaware that their own apps were collecting so much location data, it being primarily collected by third-party advertising libraries that those developers included to monetize their work [11, 12]. In fact, we found that over 40% of requests for sensitive data on smartphone apps were because of third-party libraries.

Many people are also unaware that smartphone operating systems collect location data too. In 2011, executives from Apple and Google testified about why their respective smartphone operating systems was collecting location data [13]. There were reasonable explanations, for example that this location data could be used to help map out cell towers and Wi-Fi networks so that smartphones can determine their locations faster and reliably even if GPS is not working. However, this location data was collected without users’ consent or even awareness, which led to the uproar.

Many people are also unaware that Android smartphones also collect location data as part of its standard services. You can use this to view your own location history [14]. While Android has popups that require people’s consent for this service, I have found that every time I ask students about this in the classes I teach, nearly all Android users are still surprised that this feature exists.

Wi-Fi and Bluetooth are also risks for superheroes. Both Wi-Fi and Bluetooth have MAC addresses, which can be used to track specific smartphones. Many smartphones periodically send out probe requests to connect to WiFi networks they already know about. So, while a superhero is busy thwarting nefarious schemes, a smart villain might sniff and record any MAC addresses seen in an attempt to identify the superhero’s hardware identifiers, to make them easier to track in the future. Apple has addressed this problem in iOS 14 by having rotating randomized MAC addresses, though this occasionally causes some apps to break.

But it’s not just MAC addresses a superhero needs to worry about. Those Wi-Fi probe requests can include the names of the Wi-Fi networks they are trying to connect to [15]. So a villain capturing this data could use it to figure out what places the superhero has been in the past. If some of those network names are unique, for example the name of one’s home Wi-Fi network, a villain might be able to figure out where the superhero lives.

The short of it here is that popular smartphones can cause a lot of grief for superheroes, because it is far too easy to accidentally leak one’s location data or other potentially sensitive data, which, with a little work, can lead others to figure out one’s secret identity.

However, smartphones aren’t the only device superheroes need to be careful with. Apple’s new AirTags are small and inexpensive devices that use the entire network of Apple devices worldwide to track where those AirTags are. While these devices were designed to help people find their keys, luggage, or pets, some news reports suggest that some less-than-honorable individuals are using them to target expensive cars for theft or to stalk women [16]. A villain (or even a law enforcement officer) might slip a device like this onto a superhero’s costume or onto their vehicle to track them. Ok sure, Iron Man would have enough technical savviness to detect and remove these trackers, but Hawkeye and Wonder Woman probably would not. Apple has some countermeasures built in, for example iPhones will notify their owners about being possibly tracked if the AirTag has not been near its owner between eight and 24 hours. However, this only works for iOS, with minimal privacy protection for Android users. Furthermore, a villain could still get a lot of information about a superhero with 8 hours of tracking.

Now, comic book fans love debates about almost-pointless topics, like who would win in a fight or who has the best sidekick. That’s part of the fun of being a fan! One could argue about how Superman could avoid this kind of face recognition, or how Spider-Man’s spidey sense would help him avoid that kind of tracking. But, if it isn’t already obvious, this blog post isn’t really about superheroes, it’s actually about our current reality and just how widespread a lot of these surveillance technologies are.

Superheroes have to worry about having their identity being revealed, but the rest of us in the real world have to worry about just how much information about us is out there, how widely available many of these technologies are, and how both of these can be easily abused—sometimes accidentally, sometimes intentionally—by advertisers, governments, employers, stalkers, criminals, and more. 

These aren’t hypothetical concerns either. There was the case where a father learned his teenage daughter was pregnant because of predictive ads [17]. There was a priest that resigned because someone outed him as gay based on purchased location data [18]. There was a Black man arrested due to a false positive in face recognition software [19]. There were domestic spying tools used by police in several Black Lives Matter protests—including drones, face recognition, automated license plate readers, and Stingray devices to capture cell phone data [20]—despite the vast majority of those protests being peaceful. There have been multiple cases of intimate partner violence using these kinds of smart technologies [21, 22], where one partner monitors a partner’s activities via their smartphone or smart home devices. There was NSO Group’s Pegasus spyware used to spy on journalists and human rights activists [23]. There are probably countless more technologies that authoritarian governments are deploying against their own citizens.

The challenge is that there actually are legitimate uses for many of these kinds of tracking technologies. However, despite a great deal of research and discussion on these topics, we still lack much of the user awareness, regulations, public policy, technical tools, auditing support, ethics, social norms, and economic incentives to steer us away from the worst uses. And, unlike comic books, there isn’t a Justice League or an Avengers that can swoop in and save us. The problem isn’t an incursion by a cosmic being, or an alien invasion, or schemes by a Republic serial villain. This is a problem fully of our own making, and the only ones who can fix things is us.

References

1. Tucille, J.D. New Yorkers Are Watched by More Than 15,000 Surveillance Cameras. Reason. June 7, 2021. https://reason.com/2021/06/07/new-yorkers-are-watched-by-more-than-15000-surveillance-cameras

2. Thompson, L. Air Force's Secret "Gorgon Stare" Program Leaves Terrorists Nowhere To Hide. Forbes. Apr 10, 2015. https://www.forbes.com/sites/lorenthompson/2015/04/10/air-forces-secret-gorgon-stare-program-leaves-terrorists-nowhere-to-hide/

3. Michel, A.H. Eyes In The Sky: The Secret Rise of Gorgon Stare and How It Will Watch Us All. Mariner Books. 2019.

4. Superman – Want to tag Clark Kent? https://knowyourmeme.com/photos/1218277-superman

5. Ingram, D. Facebook to delete 1 billion people's 'facial recognition templates'. NBC News. Nov 2, 2021. https://www.nbcnews.com/tech/tech-news/facebook-end-uses-facial-recognition-criticism-lawsuit-rcna4358

6. Moyer, E. Clearview AI set to get patent for controversial facial recognition tech. C|Net. Dec 4, 2021. https://www.cnet.com/news/clearview-ai-set-to-get-patent-for-controversial-facial-recognition-tech

7. Whittaker, Z. T-Mobile quietly reported a sharp rise in police demands for cell tower data. TechCrunch. July 12, 2019. https://techcrunch.com/2019/07/12/t-mobile-cell-tower-government-demands/

8. Valentino-DeVries, J., Singer, N., Keller, M., and Krolik, A. Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret. The New York Times. Dec 10, 2018. https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html

9. Thompson, S., and Warzel, C. Twelve Million Phones, One Dataset, Zero Privacy. The New York Times. Dec 19, 2019. https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html

10. O’Sullivan, D. How the cell phones of spring breakers who flouted coronavirus warnings were tracked. CNN. Apr 4, 2020. https://www.cnn.com/2020/04/04/tech/location-tracking-florida-coronavirus/index.html

11. Balebako, R., Marsh, A., Lin, J., Hong, J.I., Cranor, L.F. The privacy and security behaviors of smartphone app developers. Workshop on Usable Security (USEC 2014). http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.661.4221&rep=rep1&type=pdf

12. Chitkara, S., et al. Does this App Really Need My Location? Context-Aware Privacy Management for Smartphones. IMWUT 2017. https://dl.acm.org/doi/10.1145/3132029

13. Pepitone, J. Apple and Google get grilled on privacy. CNN. May 10, 2011. https://money.cnn.com/2011/05/10/technology/apps_privacy_hearing/index.htm

14. Google Account Help. Manage your Location History. https://support.google.com/accounts/answer/3118687?hl=en

15. Gallagher, S. Where’ve you been? Your smartphone’s Wi-Fi is telling everyone. [Updated]. Ars Technica. Nov 5, 2014. https://arstechnica.com/information-technology/2014/11/where-have-you-been-your-smartphones-wi-fi-is-telling-everyone/

16. Mac, R., and Hill, K. Are Apple AirTags Being Used to Track People and Steal Cars? The New York Times. Dec 30, 2021. https://www.nytimes.com/2021/12/30/technology/apple-airtags-tracking-stalking.html

17. Duhigg, C. How Companies Learn Your Secrets. The New York Times. Feb 16, 2012. https://www.nytimes.com/2012/02/19/magazine/shopping-habits.html

18. Associated Press. Priest outed via Grindr app highlights rampant data tracking. July 23, 2021. https://www.usatoday.com/story/tech/2021/07/23/priest-outed-via-grindr-highlights-rampant-data-tracking/8067226002/

19. Allyn, B. 'The Computer Got It Wrong': How Facial Recognition Led To False Arrest Of Black Man. NPR. June 24, 2020. https://www.npr.org/2020/06/24/882683463/the-computer-got-it-wrong-how-facial-recognition-led-to-a-false-arrest-in-michig

20. Reichert, C. House Dems demand FBI, others stop spying on Black Lives Matter protests. C|Net. June 9, 2020. https://www.cnet.com/tech/services-and-software/house-dems-ask-fbi-others-to-stop-spying-on-black-lives-matter-protesters/

21. Freed, D., et al. "A Stalker’s Paradise": How Intimate Partner Abusers Exploit Technology. CHI 2018. https://dl.acm.org/doi/10.1145/3173574.3174241

22. Bowles, N. Thermostats, Locks and Lights: Digital Tools of Domestic Abuse. The New York Times. June 23 ,2018. https://www.nytimes.com/2018/06/23/technology/smart-home-devices-domestic-abuse.html

23. Benjakob, O. The NSO File: A Complete (Updating) List of Individuals Targeted With Pegasus Spyware. Haaretz. Jan 20, 2022. https://www.haaretz.com/israel-news/MAGAZINE-nso-pegasus-spyware-file-complete-list-of-individuals-targeted-1.10549510

 

Jason Hong is a professor in the School of Computer Science, and the Human Computer Interaction Institute, of Carnegie Mellon University.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More