Online stalking: London, Paris, New York


The popular app Citymapper, which began in London and has since expanded to New York, Paris, and Amsterdam, is a live journey planning application that integrates all available modes of transport. Providing this service allows Citymapper to collect vast amounts of data: where, when, and by what modes of transport people travel and the exact routes they take. An app update in October 2015 added a feature allowing users to share routes and arrival times with friends via customised web addresses, whether or not they also use the app. In a study of these web addresses, researcher Daniel Faram was able to harvest the data relating to 35,000 trips and match the results against publicly available information to identify some real-life individuals taking these journeys. Running the same scripts over time allowed Faram to compile a pattern of travel over time - ideal for a stalker. Faram recommended that Citymapper should: increase the complexity of the web addresses used for sharing trips; remove links a few days after the trip is complete; and remove first names or home labels from the public application programming interface (API) that enables the script to work. When Citymapper was notified of the issue, it rolled out a patch making the attack infeasible within a week.
Writer: Daniel Faram
Publication: Darkport

Related learning resources