For years now, the word “social” has permeated every aspect of our online experiences. Integrating social aspects into development projects has been the norm for a long while now. That being said, some actors within the tech world seem to push the boundaries of what is acceptable when aggregating user-identifying data. Results of these aggregations/linkages range from harmless to outright creepy. Such an instance happened to me recently, and I thought I’d share as yet another warning to those who choose to share openly.
In the past couple of years, I’ve really invested in my business processes, looking for gains in both efficiency and client satisfaction. One of the things I’ve added is a dedicated conferencing solution to communicate more effectively with clients. Skype works well, but it’s something that’s always available to clients and can be quite distracting to me if they abuse the privilege.
After trying out a few, like Zoom, Chime, and couple of other new players, I settled on UberConference. The features for the free plan were good, the interface is modern and capable yet not overwhelming. It’s worked out very well so far, and clients seem to like it.
While in a conference, each participant is shown as a card. If you have saved a profile picture to your UberConference account, it will display as your avatar. However, if a user has not uploaded a picture, it simply shows a zoomed-in portion of Google Maps depicting a best guess of that user’s location. The guess is based on either reverse-IP lookup for web users or phone number records for those calling in.
In late November of 2017, I attended a conference that was hosted by another client. This was not in my account, but I was signed in. Shortly after the conference started, an image of a person replaced my map avatar. It was labeled with my name, but the image was not of me. I was, understandably, surprised.
I immediately recognized the person in the photo because they do indeed share my first and last names. Furthermore, they live only a few hours away in the same state, based on public data.1This doppelganger has been a source of frustration for me over the last few years. I frequently receive emails meant for this individual pertaining to real estate and requests related to custom signs and other self-promotional material. Based on this information, it’s obvious UberConference’s back-end performed a Google search for my name and picked an image from the results.
I Will Find You, And I Will De-Anonymize You!
The back-end logic decided that image #7 was appropriate, not the very first result. Interestingly, image #7 is more “professional” than the others, showing a person in a suit and tie. It’s even possible that they fed the top results through an image recognition API, like Amazon Rekognition, Google Cloud Vision, etc., looking for a “fitting” image for a conference calling platform.2I performed many searches for my name, adding words like “business”, “professional”, “service”, “suit”, “profile”, etc., and I never found a query that returned the selected image as the first result. However, it’s certainly possible that there is a query that would return the final image selected by UC as the first result.
Apparently, if a user declines to upload a profile image, services will now find one for you! Some of the more socially promiscuous may approve of such a “feature”. I, however, do not. Also, the image didn’t display in my account, so I couldn’t remove it. It was only displayed to those with whom I was conferencing.
I contacted UberConference support to report the incident, pointing out that I had nothing to do with the image being selected. After being asked for the specific conference ID, I received the following response:
I have removed the photo from your profile and from the backend. Moving forward, you will no longer see any image when on an UberConference call.
I replied back, asking for clarification on why and how an image of someone sharing my name was added to my account for others to view. To date, I have not received a response to my inquiry.
We can infer that an overzealous product manager approved this “feature” for production. Whether this was an experiment or not, I don’t believe this is something any developer would causally integrate. We tend to be a more security- and privacy-conscious bunch than the general population.
De-anonymization has popped up as a cottage industry in the last few years. Its aim is to take huge datasets of raw, anonymized analytics and attempt to aggregate and identify specific users based on “fingerprints”. Location. Purchase history. Times of day. Engagement habits. All are data points to establish a breadcrumb trail leading to a specific user. Machine learning is helping the cause of advertisers in this quest, mapping and reducing billions of pieces of a puzzle.
It seems in the quest for a more “social” product, UberConference stepped over the line. Has anyone else had a similar experience with any other online services?
|1||This doppelganger has been a source of frustration for me over the last few years. I frequently receive emails meant for this individual pertaining to real estate and requests related to custom signs and other self-promotional material.|
|2||I performed many searches for my name, adding words like “business”, “professional”, “service”, “suit”, “profile”, etc., and I never found a query that returned the selected image as the first result. However, it’s certainly possible that there is a query that would return the final image selected by UC as the first result.|