If you've been following security news today (May 19), you may have read something rather alarming. According to a joint study from Oxford University and MIT, sharing your location on Twitter is tantamount to plastering your home and work address up on the Internet.
The study itself, which is both extremely interesting and profoundly clever, recruited a bunch of average Joes and Janes to see if they could deduce where frequent Twitter users lived and worked. Short answer: They could, and without much difficulty. But the process is not nearly as simple or straightforward as it may sound.
First things first: Location-sharing in Twitter is an opt-in process. You can turn it on and off in the settings menu or on a tweet-by-tweet basis. Unless you go out of your way to share your location, no one will ever find it through Twitter except through contextual clues. As the study points out, however, there are both social and economic benefits to leaving sharing on, so let's assume you do want to use it.
In the study, researchers recruited frequent Twitter users from the Boston area and asked permission to collect their tweets, complete with location data. Naturally, a cybercriminal wouldn't go through such niceties, but there's one very important detail here: The researchers specifically needed participants who would share their exact latitudinal and longitudinal data.
By default, Twitter's location services give only a general area. For example, if I tweet from home about playing Uncharted 4, Twitter gives my location as "Queens, NY." If I tweet from work about testing a new gaming mouse, Twitter gives my location as "Manhattan, NY." Even the most tinfoil-hatted security researcher would probably admit that this is relatively harmless information.
What the researchers needed their participants to do, by contrast, was to use a Twitter feature known as "share precise location." This lets you either select an exact location (public businesses only, though, so it wouldn’t let anyone find you at home), or use your exact latitude and longitude to extrapolate your more general location.
Not only is this feature a bit hard-to-find (you have to tap on the location icon, even if you already have location-sharing turned on), but you have to manually enable this permission for each individual tweet. There is no way to leave it on across the board.
Perhaps the most reassuring thing about location sharing is that even if you were to share your precise latitude and longitude with every single tweet, there would be no easy way for everyday users to find it. In Twitter's apps, for both mobile devices and computers, a user's latitude and longitude are always generalized into a location like "Queens" or "Manhattan."
While you can indeed do a reverse lookup by latitude and longitude using a feature called "geocode," this just displays all tweets from a given location. It's a fantastically inefficient, inaccurate way to find someone's home or work address, especially in a populous area.
This isn't to say that sharing your precise location is without risk. Twitter lets developers search for latitude and longitude in their APIs, so it's conceivable that a developer could create such a program. (We can presume that the researchers created something along these lines, but if there's any widely available API to reveal users' coordinates, I couldn't find it.)
Twitter's terms of service also require that developers notify users when attempting to access their latitude and longitude. While a cybercriminal is probably not overly interested in such stipulations, it does mean that advertisers, government bodies and moderately tech-savvy people can't do much without your knowledge and permission.
In short, the paper is correct: If you give a collection of everyday folks access to detailed Twitter information, they can indeed divine where you work, where you live, and how you commute from place to place. However, this information, while by no means inaccessible, is well beyond what an ordinary person would care to look for, or what the average Twitter user shares.
As always, your online privacy is a currency, just like money. Use it wisely, but don't hoard it; not every bit of information shared will open you up for identity theft. For now, though, it's probably best to leave your latitude and longitude out of your tweets — unless you're lost in the wilderness and need extraction, of course.