Potential mass surveillance and privacy violations in proximity-based social applications
This work highlights critical privacy risks in proximity-based social apps, exposing vulnerabilities that could enable mass surveillance and identity linking for users in urban settings.
The paper analyzes popular dating apps that share users' relative distances, demonstrating a multilateration attack that can pinpoint a user's actual location and track their movements over time, revealing habits and points of interest, and introduces a social attack using Facebook likes to link online profiles to real identities.
Proximity-based social applications let users interact with people that are currently close to them, by revealing some information about their preferences and whereabouts. This information is acquired through passive geo-localisation and used to build a sense of serendipitous discovery of people, places and interests. Unfortunately, while this class of applications opens different interactions possibilities for people in urban settings, obtaining access to certain identity information could lead a possible privacy attacker to identify and follow a user in their movements in a specific period of time. The same information shared through the platform could also help an attacker to link the victim's online profiles to physical identities. We analyse a set of popular dating application that shares users relative distances within a certain radius and show how, by using the information shared on these platforms, it is possible to formalise a multilateration attack, able to identify the user actual position. The same attack can also be used to follow a user in all their movements within a certain period of time, therefore identifying their habits and Points of Interest across the city. Furthermore we introduce a social attack which uses common Facebook likes to profile a person and finally identify their real identity.